|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| ... |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The clients are identified using their certificate, and connect securely
to the SyncProv.
There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute. | 
| | 
| 
| 
| | Also, it's now possible to reuse an existing private key (with -f). | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | SMTP client connection caching was introduced in 2.6.0: the SMTP session is
held for the next task (in adaptative mode, only when there was a delay of only
5s between the two previous mails), but Postfix will terminate it if the next
mail doesn't come soon enough, or if amavis does't terminate it itself (usually
after 15s). | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | (Unless a new instance is created, or the master.cf change is modified.)
Changing some variables, such as inet_protocols, require a full restart,
but most of the time it's overkill. | 
| | 
| 
| 
| 
| 
| | And don't restart or reload either upon change of pcre: files that are
used by smtpd(8), cleanup(8) or local(8), following the suggestion from
http://www.postfix.org/DATABASE_README.html#detect . | 
| | 
| 
| 
| | So unfortunately we can't fit a 2048-bits RSA key. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | For DKIM signing and virus checking. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | Unlike adduser(8), ansible's 'user' module copies skeletal configuration
files even for system users (unless called with createhome=no). | 
| | 
| 
| 
| 
| 
| 
| | This is important as we don't want the IMAP server baning the webmail,
for instance.  (The fail2ban instance running next to the webmail should
ban the attacker, but that running next to the IMAP server shouldn't ban
legit users.) | 
| | 
| 
| 
| 
| 
| 
| | The reason is that we don't want to rely on CAs to verify the
certificate of our server.  Dovecot currently doesn't offer a way to
match said cert against a local copy or known fingerprint.  stunnel
does. | 
| | |  | 
| | 
| 
| 
| 
| | For some reason giraff doesn't like IPSec.  App-level TLS sessions are
less efficient, but thanks to ansible it still scales well. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | In 2.1.7 they are buggy, and make Dovecot crash (when connected through
Evolution for instance). They have improved a lot since, though:
  http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/NEWS | 
| | 
| 
| 
| 
| 
| | Sadly not doing so and keeping a table message ID -> username, like we
do for SASL authenticated users, doesn't seem trivial here.  We could
encrypt the header, though. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | In fact we want to only rewrite the envelope sender:
    :/etc/postfix/main.cf
    # Overwrite local FQDN envelope sender addresses
    sender_canonical_classes       = envelope_sender
    propagate_unmatched_extensions =
    sender_canonical_maps          = cdb:$config_directory/sender_canonical
    :/etc/postfix/sender_canonical
    @elefant.fripost.org     admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | This is required for dbox, see
http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | There seem to be multiple bugs with the version from wheezy-backports
(2.2.9-1~bpo70+1), and the client is killed on THREAD commands:
  guilhem@elefant:~$ telnet localhost 143
  Trying ::1...
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
  a LOGIN guilhem xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE NOTIFY] Logged in
  b SELECT INBOX
  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
  * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
  * 8060 EXISTS
  * 0 RECENT
  * OK [UIDVALIDITY 1302032711] UIDs valid
  * OK [UIDNEXT 78905] Predicted next UID
  * OK [NOMODSEQ] No permanent modsequences
  b OK [READ-WRITE] Select completed (0.395 secs).
  c THREAD REFERENCES UTF-8 ALL
  Connection closed by foreign host.
  :/var/log/syslog
  Jun 27 21:58:01 elefant dovecot: imap(guilhem@fripost.org): Fatal: master: service(imap): child 24907 killed with signal 11 (core dumps disabled)
  Jun 27 21:58:01 elefant kernel: [248570.057270] imap[24907]: segfault at 400 ip 00007f7651596e09 sp 00007fff6e267760 error 4 in libdovecot.so.0.0.0[7f765153a000+cc000]
Other (less scary) errors can be found in the syslog:
  Jun 27 20:26:09 elefant dovecot: imap(xxxx@fripost.org): Error: file_dotlock_open() failed with file /home/imapproxy/fripost.org/xxxx/imapc/dovecot.list.index.log: No such file or directory
  Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc(imap.fripost.org:993): Command '11 APPEND "Sent" (\Seen) {2512485}' timed out, disconnecting
  Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc: COPY failed: Disconnected from server
  Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Disconnected: IMAP session state is inconsistent, please relogin. in=2512632 out=969
This is infortunate as we cannot benefit from the 'fetch-headers'
imapc_features right now.  However, the bugs (at least the segfault) seems to
be fixed as of 2.2.13-1, the version which can currently be found in testing.
Hopefully it'll be backported soon :-) | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | This ensures that Dovecot won't deliver messages if the disk hasn't been
mounted, for instance. | 
| | 
| 
| 
| | So we set 'first_valid_uid' to 1, to accept any UID. | 
| | |  | 
| | |  | 
| | |  | 
| | |  |