summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
* Don't restart/reload Postifx upon change of a file based database.Guilhem Moulin2015-06-075
| | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect .
* Loopia's maximum length for TXT records is 255 chars.Guilhem Moulin2015-06-073
| | | | So unfortunately we can't fit a 2048-bits RSA key.
* wibbleGuilhem Moulin2015-06-072
|
* typoGuilhem Moulin2015-06-072
|
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-0713
| | | | For DKIM signing and virus checking.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Remove IPSec related files.Guilhem Moulin2015-06-075
|
* Make the IMAP caching proxy listen on ::1.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Don't auto-create home directories when adding system users.Guilhem Moulin2015-06-073
| | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no).
* Whitelist our IPs against fail2ban.Guilhem Moulin2015-06-071
| | | | | | | This is important as we don't want the IMAP server baning the webmail, for instance. (The fail2ban instance running next to the webmail should ban the attacker, but that running next to the IMAP server shouldn't ban legit users.)
* Use stunnel to secure the connection from the IMAP proxy to the IMAP server.Guilhem Moulin2015-06-076
| | | | | | | The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does.
* Tel logcheck which logs to monitor.Guilhem Moulin2015-06-071
|
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-0723
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-0711
|
* Don't use mailbox list indexes.Guilhem Moulin2015-06-072
| | | | | | | In 2.1.7 they are buggy, and make Dovecot crash (when connected through Evolution for instance). They have improved a lot since, though: http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/NEWS
* Expose the real user ID when using the webmail.Guilhem Moulin2015-06-071
| | | | | | Sadly not doing so and keeping a table message ID -> username, like we do for SASL authenticated users, doesn't seem trivial here. We could encrypt the header, though.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Log SASL usernames for longer, but don't include mail.log into syslog.Guilhem Moulin2015-06-075
|
* Fix syntax error.Guilhem Moulin2015-06-073
|
* Don't install 'unhide.rb'.Guilhem Moulin2015-06-072
|
* Don't use generic maps.Guilhem Moulin2015-06-073
| | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header.
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-075
|
* Make genkeypair.sh able to display TXT record for DKIM signatures.Guilhem Moulin2015-06-073
|
* Add support for CSR and subjectAltName in genkeypair.sh.Guilhem Moulin2015-06-072
|
* Create a nightly cron job to purge expunged messages.Guilhem Moulin2015-06-071
| | | | | This is required for dbox, see http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
* Force Roundcube to connect the IMAP server on localhost:143.Guilhem Moulin2015-06-071
|
* Allow Roundcube to offer JavaScript.Guilhem Moulin2015-06-071
|
* Revert dovecot (imapc) to stable (2.1.7-7+deb7u1).Guilhem Moulin2015-06-072
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There seem to be multiple bugs with the version from wheezy-backports (2.2.9-1~bpo70+1), and the client is killed on THREAD commands: guilhem@elefant:~$ telnet localhost 143 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. a LOGIN guilhem xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE NOTIFY] Logged in b SELECT INBOX * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted. * 8060 EXISTS * 0 RECENT * OK [UIDVALIDITY 1302032711] UIDs valid * OK [UIDNEXT 78905] Predicted next UID * OK [NOMODSEQ] No permanent modsequences b OK [READ-WRITE] Select completed (0.395 secs). c THREAD REFERENCES UTF-8 ALL Connection closed by foreign host. :/var/log/syslog Jun 27 21:58:01 elefant dovecot: imap(guilhem@fripost.org): Fatal: master: service(imap): child 24907 killed with signal 11 (core dumps disabled) Jun 27 21:58:01 elefant kernel: [248570.057270] imap[24907]: segfault at 400 ip 00007f7651596e09 sp 00007fff6e267760 error 4 in libdovecot.so.0.0.0[7f765153a000+cc000] Other (less scary) errors can be found in the syslog: Jun 27 20:26:09 elefant dovecot: imap(xxxx@fripost.org): Error: file_dotlock_open() failed with file /home/imapproxy/fripost.org/xxxx/imapc/dovecot.list.index.log: No such file or directory Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc(imap.fripost.org:993): Command '11 APPEND "Sent" (\Seen) {2512485}' timed out, disconnecting Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc: COPY failed: Disconnected from server Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Disconnected: IMAP session state is inconsistent, please relogin. in=2512632 out=969 This is infortunate as we cannot benefit from the 'fetch-headers' imapc_features right now. However, the bugs (at least the segfault) seems to be fixed as of 2.2.13-1, the version which can currently be found in testing. Hopefully it'll be backported soon :-)
* Dovecot wibble.Guilhem Moulin2015-06-073
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-074
|
* Fix YAML syntax error.Guilhem Moulin2015-06-071
|
* chown root:root /home/mail && chmod 0755 /home/mailGuilhem Moulin2015-06-071
| | | | | This ensures that Dovecot won't deliver messages if the disk hasn't been mounted, for instance.
* The 'vmail' user may have a UID lower than 500.Guilhem Moulin2015-06-071
| | | | So we set 'first_valid_uid' to 1, to accept any UID.
* Support boken SMTP clients and LOGIN SASL mechanism.Guilhem Moulin2015-06-074
|
* Compress messages on the IMAP backend.Guilhem Moulin2015-06-072
|
* wibbleGuilhem Moulin2015-06-072
|
* logcheck-database tweaks.Guilhem Moulin2015-06-074
|
* wibbleGuilhem Moulin2015-06-071
|
* Install dovecot from backports (for imapc).Guilhem Moulin2015-06-075
| | | | | Interesting features include caching of mail headers (v2.2.8+) as well as new IMAP capabilities.
* Install Rouncube from backports.Guilhem Moulin2015-06-072
| | | | | | Recent versions have a whole bunch of bugfixes and nice new features: http://trac.roundcube.net/wiki/Changelog
* Don't require a PKI for IPSec.Guilhem Moulin2015-06-075
| | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.
* Don't try to start smart on VMs.Guilhem Moulin2015-06-071
|
* Support non-free firmwares. (Can be required :-()Guilhem Moulin2015-06-072
| | | | Also, always install contrib's intel-microcode on Intel CPUs.
* wibbleGuilhem Moulin2015-06-076
|
* Assume a DNS entry for each role.Guilhem Moulin2015-06-0717
| | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
* Decongestion potential bottlenecks on trivial_rewrite(8).Guilhem Moulin2015-06-0710
| | | | | | | | | | | | | Which might be caused by slow LDAP lookups in transport_maps. Instead, we alias each addresses for which we want a custom transport to a dedicated "dummy" domain, and use a static (CDB) transport_maps to map said domains to their transport; the receiver can then use canonical(8) to restore the original envelope recipient. Since the alias resolution is performed by cleanup(8), which can run in parallel with other instances, it should decongestion bottlenecks under heavy loads. So far only the MX:es have been decongestioned. The list manager and the MDA should be treated as well.
* typoGuilhem Moulin2015-06-071
|
* Add XXX comments for ad hoc fixes for some known bugs.Guilhem Moulin2015-06-072
| | | | (To be removed when the fix enters stable.)
* Follow Qualys's SSL labs recommendation for HTTPS.Guilhem Moulin2015-06-071
| | | | | (Disable SSLv3 and extend STS' max age to 180 days.) See https://www.ssllabs.com/ssltest/ .