summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
...
* Make the Ansible LDAP plugin able to delete entries and attributes.Guilhem Moulin2015-06-072
| | | | | Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on the 'config' database.
* Fix race condition when generating cerificates for slapd.Guilhem Moulin2015-06-072
| | | | | The SyncProv won't start if the file olcTLSCACertificateFile points to doesn't exist.
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-0719
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Add note how to test SASL EXTERNAL authentication via TLS.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* Generate the DKIM key on the outgoing instance only.Guilhem Moulin2015-06-071
|
* Fix a corner case in reserved-alias.pl.Guilhem Moulin2015-06-071
| | | | | 'if $l' is false when $l is 0, while 0@example.org is a perfectly valid address.
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-075
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-074
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Add ability to chmod, chown and set the key usage in genkeypair.Guilhem Moulin2015-06-071
|
* Enable zero-copy updates to the LDAP directory.Guilhem Moulin2015-06-073
|
* Increase the timeout in the smtpd waiting for the reinjection from amavis.Guilhem Moulin2015-06-073
| | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s).
* Disable Nagle's algorithm (and SSLv3) in stunnel.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Tell Dovecot we have a remote IMAP proxy.Guilhem Moulin2015-06-071
|
* Performance tuning in Dovecot's configuration.Guilhem Moulin2015-06-073
|
* Don't install daemontools.Guilhem Moulin2015-06-071
|
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-0710
|
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-0714
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Don't restart/reload Postifx upon change of a file based database.Guilhem Moulin2015-06-075
| | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect .
* Loopia's maximum length for TXT records is 255 chars.Guilhem Moulin2015-06-073
| | | | So unfortunately we can't fit a 2048-bits RSA key.
* wibbleGuilhem Moulin2015-06-072
|
* typoGuilhem Moulin2015-06-072
|
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-0713
| | | | For DKIM signing and virus checking.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Remove IPSec related files.Guilhem Moulin2015-06-075
|
* Make the IMAP caching proxy listen on ::1.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Don't auto-create home directories when adding system users.Guilhem Moulin2015-06-073
| | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no).
* Whitelist our IPs against fail2ban.Guilhem Moulin2015-06-071
| | | | | | | This is important as we don't want the IMAP server baning the webmail, for instance. (The fail2ban instance running next to the webmail should ban the attacker, but that running next to the IMAP server shouldn't ban legit users.)
* Use stunnel to secure the connection from the IMAP proxy to the IMAP server.Guilhem Moulin2015-06-076
| | | | | | | The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does.
* Tel logcheck which logs to monitor.Guilhem Moulin2015-06-071
|
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-0723
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-0711
|
* Don't use mailbox list indexes.Guilhem Moulin2015-06-072
| | | | | | | In 2.1.7 they are buggy, and make Dovecot crash (when connected through Evolution for instance). They have improved a lot since, though: http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/NEWS
* Expose the real user ID when using the webmail.Guilhem Moulin2015-06-071
| | | | | | Sadly not doing so and keeping a table message ID -> username, like we do for SASL authenticated users, doesn't seem trivial here. We could encrypt the header, though.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Log SASL usernames for longer, but don't include mail.log into syslog.Guilhem Moulin2015-06-075
|
* Fix syntax error.Guilhem Moulin2015-06-073
|
* Don't install 'unhide.rb'.Guilhem Moulin2015-06-072
|
* Don't use generic maps.Guilhem Moulin2015-06-073
| | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header.
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-075
|
* Make genkeypair.sh able to display TXT record for DKIM signatures.Guilhem Moulin2015-06-073
|
* Add support for CSR and subjectAltName in genkeypair.sh.Guilhem Moulin2015-06-072
|
* Create a nightly cron job to purge expunged messages.Guilhem Moulin2015-06-071
| | | | | This is required for dbox, see http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
* Force Roundcube to connect the IMAP server on localhost:143.Guilhem Moulin2015-06-071
|
* Allow Roundcube to offer JavaScript.Guilhem Moulin2015-06-071
|
* Revert dovecot (imapc) to stable (2.1.7-7+deb7u1).Guilhem Moulin2015-06-072
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There seem to be multiple bugs with the version from wheezy-backports (2.2.9-1~bpo70+1), and the client is killed on THREAD commands: guilhem@elefant:~$ telnet localhost 143 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. a LOGIN guilhem xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE NOTIFY] Logged in b SELECT INBOX * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted. * 8060 EXISTS * 0 RECENT * OK [UIDVALIDITY 1302032711] UIDs valid * OK [UIDNEXT 78905] Predicted next UID * OK [NOMODSEQ] No permanent modsequences b OK [READ-WRITE] Select completed (0.395 secs). c THREAD REFERENCES UTF-8 ALL Connection closed by foreign host. :/var/log/syslog Jun 27 21:58:01 elefant dovecot: imap(guilhem@fripost.org): Fatal: master: service(imap): child 24907 killed with signal 11 (core dumps disabled) Jun 27 21:58:01 elefant kernel: [248570.057270] imap[24907]: segfault at 400 ip 00007f7651596e09 sp 00007fff6e267760 error 4 in libdovecot.so.0.0.0[7f765153a000+cc000] Other (less scary) errors can be found in the syslog: Jun 27 20:26:09 elefant dovecot: imap(xxxx@fripost.org): Error: file_dotlock_open() failed with file /home/imapproxy/fripost.org/xxxx/imapc/dovecot.list.index.log: No such file or directory Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc(imap.fripost.org:993): Command '11 APPEND "Sent" (\Seen) {2512485}' timed out, disconnecting Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc: COPY failed: Disconnected from server Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Disconnected: IMAP session state is inconsistent, please relogin. in=2512632 out=969 This is infortunate as we cannot benefit from the 'fetch-headers' imapc_features right now. However, the bugs (at least the segfault) seems to be fixed as of 2.2.13-1, the version which can currently be found in testing. Hopefully it'll be backported soon :-)
* Dovecot wibble.Guilhem Moulin2015-06-073
|