Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | MSA: Open 465/TCP for Email Submission over TLS. | Guilhem Moulin | 2019-03-19 | 5 | |
| | | | | See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete". | ||||
* | firewall: gracefully close invalid connections. | Guilhem Moulin | 2018-12-22 | 1 | |
| | | | | | | | This is useful when an ESTABLISHED connection is seen as NEW because the client was offline for some time. For instance, clients now gracefully close existing SSH connections immediately after resuming from a suspend state, rather that waiting for the TCP timeout. | ||||
* | fail2ban: Only install the roundcube/dovecot filters if needed. | Guilhem Moulin | 2018-12-15 | 1 | |
| | | | | | | It doesn't hurt to install them on all machines, but we're overriding the provided /etc/fail2ban/filter.d/dovecot.conf and would rather keep our delta minimal. | ||||
* | submission: Prospective SPF checking. | Guilhem Moulin | 2018-12-12 | 5 | |
| | | | | Cf. http://www.openspf.org/Best_Practices/Outbound . | ||||
* | Outgoing SMTP: masquerade internal hostnames. | Guilhem Moulin | 2018-12-12 | 3 | |
| | | | | | | Use admin@fripost.org instead. We were sending out (to the admin team) system messages with non-existing or invalid envelope sender addresses, such as <logcheck@antilop.fripost.org> or <root@mistral.fripost.org>. | ||||
* | IMAP: raise per user maximum number of inotify instances from 128 to 512. | Guilhem Moulin | 2018-12-12 | 1 | |
| | |||||
* | IPsec: use Suite-B-GCM-256 algorithms for IKEv2 & ESP. | Guilhem Moulin | 2018-12-09 | 1 | |
| | | | | | | | (That is, remove algorithms from Suite-B-GCM-128.) Cf. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites and https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations . | ||||
* | MSA verification probes: enable opportunistic encryption. | Guilhem Moulin | 2018-12-09 | 2 | |
| | | | | | | And use ‘noreply.fripost.org’ as HELO name rather than $myhostname (i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo and envelope sender identities. | ||||
* | Use mariadb.service not mysql.service. | Guilhem Moulin | 2018-12-09 | 2 | |
| | | | | | Since d8d07afe49e69114f8deb807031bec71a327d3ae our MySQL flavor is MariaDB. | ||||
* | Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 24 | |
| | |||||
* | Disable resume device. | Guilhem Moulin | 2018-12-09 | 3 | |
| | | | | We don't need suspend-on-disk (hibernation). | ||||
* | IMAP: Ensure /home/mail is mounted before creating sub-directories. | Guilhem Moulin | 2018-12-09 | 1 | |
| | |||||
* | bacula-sd: Ensure /mnt/backup is mounted before creating sub-directories. | Guilhem Moulin | 2018-12-09 | 1 | |
| | |||||
* | bacula: Backup MySQL database for the nextcloud host. | Guilhem Moulin | 2018-12-09 | 2 | |
| | |||||
* | systemd.service: Tighten hardening options. | Guilhem Moulin | 2018-12-09 | 9 | |
| | |||||
* | bacula-*.service: Don't fork in the background. | Guilhem Moulin | 2018-12-09 | 3 | |
| | | | | Inspired from /lib/systemd/system/bacula-fd.service. | ||||
* | Upgrade 'lists' role to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 8 | |
| | |||||
* | Firewall: disable outgoing access to git:// remote servers. | Guilhem Moulin | 2018-12-09 | 1 | |
| | | | | We don't need it anymore as we use https:// these days. | ||||
* | systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’. | Guilhem Moulin | 2018-12-09 | 9 | |
| | | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’. | ||||
* | Firewall: REJECT outgoing connections instead of DROPing them. | Guilhem Moulin | 2018-12-09 | 1 | |
| | |||||
* | Upgrade 'out' role to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 1 | |
| | |||||
* | Don't install the haveged entropy daemon. | Guilhem Moulin | 2018-12-09 | 2 | |
| | | | | | It's not really needed on our metal hosts, and our KVM guests use virtio-rng. | ||||
* | ntp.conf: reduce delta with the packaged version. | Guilhem Moulin | 2018-12-09 | 1 | |
| | |||||
* | MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons. | Guilhem Moulin | 2018-12-09 | 8 | |
| | | | | | | Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f) the postscreen(8) server can run chrooted, meaning we can also chroot the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons. | ||||
* | MX: don't override 5XY reject codes to 554. | Guilhem Moulin | 2018-12-09 | 1 | |
| | |||||
* | postfix: remove explicit default 'mail_owner = postfix'. | Guilhem Moulin | 2018-12-06 | 6 | |
| | |||||
* | postfix ≥3.0: don't advertise SMTPUTF8 support. | Guilhem Moulin | 2018-12-06 | 1 | |
| | | | | | | | | | | | | | | | | | We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some downstream SMTP servers, not all of which are under our control. Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers yields undeliverable messages, and the bounces make us a potential backscatter source. So it's better to disable SMTPUTF8 at this point. Cf. also http://www.postfix.org/SMTPUTF8_README.html and https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 . See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 : “Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the envelope is definitely problematic for a receiver that does not support SMTPUTF8, while UTF8 in a message header is less so.” | ||||
* | Upgrade 'ikiwiki-pandoc' to v0.5.1. | Guilhem Moulin | 2018-12-06 | 1 | |
| | | | | | https://raw.githubusercontent.com/sciunto-org/ikiwiki-pandoc/v0.5.1/pandoc.pm Currently at commit 9292e45cea1be120adb3babd5b835b547f4c825a . | ||||
* | Roundcube: improve serving of static resources. | Guilhem Moulin | 2018-12-06 | 1 | |
| | | | | | | | | | | | | | | | We only serve whitelisted extensions (css, js, png, etc.), and only for some selected sub-directories. Access to everything else (incl. log files and config files) is denied with a 404. This is unlike upstream's .htaccess file, which blacklists restricted locations and happily serves the rest: https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8 To find out which extensions exist on the file system, run find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \ | sed -n 's/.*\.//p' | sort | uniq -c | ||||
* | DKIM: also include the "d=" tag in key filenames, not only the "s=" tag. | Guilhem Moulin | 2018-12-05 | 3 | |
| | | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily. | ||||
* | Upgrade DKIM keys to rsa2048, and allow for multiple keys. | Guilhem Moulin | 2018-12-04 | 3 | |
| | |||||
* | Install unbound on metal hosts. | Guilhem Moulin | 2018-12-03 | 4 | |
| | | | | (A validating, recursive, caching DNS resolver.) | ||||
* | Define new host "calima" serving Nextcloud. | Guilhem Moulin | 2018-12-03 | 9 | |
| | |||||
* | Upgrade wiki baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 4 | |
| | |||||
* | Upgrade MX baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 1 | |
| | |||||
* | Upgrade webmail baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 6 | |
| | |||||
* | Upgrade syntax to Ansible 2.7 (apt module). | Guilhem Moulin | 2018-12-03 | 25 | |
| | |||||
* | Postfix: replace cdb & btree tables with lmdb ones. | Guilhem Moulin | 2018-12-03 | 14 | |
| | | | | Cf. lmdb_table(5). | ||||
* | IPsec: allow ISAKMP over IPv6. | Guilhem Moulin | 2018-12-03 | 2 | |
| | |||||
* | Upgrade baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 23 | |
| | |||||
* | Skip samhain installation. | Guilhem Moulin | 2018-12-03 | 4 | |
| | | | | It's become too verbose (too many false-positive)… | ||||
* | Harden anti spam on the MX:es. | Guilhem Moulin | 2018-06-09 | 5 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2018-04-04 | 3 | |
| | |||||
* | lacme: explicitely bind to [::]:80. | Guilhem Moulin | 2018-04-04 | 1 | |
| | |||||
* | Postfix: replace 'fifo' types with 'unix', as it's the new default. | Guilhem Moulin | 2018-04-04 | 1 | |
| | |||||
* | sympa: wibble | Guilhem Moulin | 2018-04-04 | 2 | |
| | |||||
* | Firewall: Allow DNS queries over TCP. | Guilhem Moulin | 2018-04-04 | 1 | |
| | |||||
* | APT: use deb.debian.org as archive source. | Guilhem Moulin | 2018-04-04 | 1 | |
| | |||||
* | Postscreen: improve DNSBL sites and scores. | Guilhem Moulin | 2018-04-04 | 1 | |
| | |||||
* | Amavis: bind server to INADDR_LOOPBACK | Guilhem Moulin | 2018-04-04 | 1 | |
| |