| Commit message (Collapse) | Author | Age | Files |
| |
|
|
|
|
| |
See https://salsa.debian.org/roundcube-team/roundcube/-/commit/f1e89494e8b777d69564e67f2d8b47ac84eb02f4 .
|
|
|
|
| |
Per https://salsa.debian.org/roundcube-team/roundcube/commit/7df02624eec4857053432d8ebe9b4e2b36f22bc5 .
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This solves an issue where an attacker would strip the STARTTLS keyword
from the EHLO response, thereby preventing connection upgrade; or spoof
DNS responses to route outgoing messages to an attacker-controlled
SMTPd, thereby allowing message MiTM'ing. With key material pinning in
place, smtp(8postfix) immediately aborts the connection (before the MAIL
command) and places the message into the deferred queue instead:
postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified)
This applies to the smarthost as well as for verification probes on the
Mail Submission Agent. Placing message into the deferred queue might
yield denial of service, but we argue that it's better than a privacy
leak.
This only covers *internal messages* (from Fripost to Fripost) though:
only messages with ‘fripost.org’ (or a subdomain of such) as recipient
domain. Other domains, even those using mx[12].fripost.org as MX, are
not covered. A scalable solution for arbitrary domains would involve
either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there
is some merit in hardcoding our internal policy (when the client and
server are both under our control) in the configuration. It for
instance enables us to harden TLS ciphers and protocols, and makes the
verification logic independent of DNS.
|
|
|
|
| |
See https://bugs.debian.org/975862 .
|
|
|
|
|
| |
Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap
so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.
|
| |
|
|
|
|
| |
See https://bugs.debian.org/932594#15 .
|
| |
|
|
|
|
| |
Regression from ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3.
|
|
|
|
|
|
|
|
|
| |
(Excluding our NTP master.) It's simpler, arguably more secure, and
provides enough functionality when only simple client use-cases are
desired.
We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd
can connect to the fallbacks NTP servers.
|
|
|
|
|
|
| |
In particular, trigger weekly differential backups for mailboxes, and exclude
Dovecot's transaction/index/etc log and cache files which are constantly
updated but not useful assets to backup.
|
| |
|
|
|
|
| |
This is in particular needed for traceroutes and routing loop detection.
|
|
|
|
| |
This reverts commit 26bae877102752a41a903cab2ee0891f8f261d38.
|
|
|
|
|
|
| |
Use unit overrides on top of upstream's service files instead of
overriding entire service files. In particular, upstream uses flag `-P`
so we don't need to use RuntimeDirectory= anymore.
|
|
|
|
|
|
|
|
| |
This is required to receive incoming traffic to our IPsec IP in 172.16.0.0/24,
as well as linked-scoped ICMPv6 traffic from/to fe80::/10 (for neighbour
discovery).
Regression from a6b8c0b3a4758f8d84a7ad07bb9e068075d098d3.
|
|
|
|
|
| |
This is more efficient: the earlier we filter the crap out the less
resources they consume.
|
|
|
|
| |
See tcp(7) and https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a .
|
|
|
|
| |
As of MariaDB 10.3 this should be more future proof.
|
| |
|
| |
|
| |
|
|
|
|
| |
See https://git.fripost.org/fripost-wiki/commit/?id=72983121e68289a7497927417e52a8ec5f16aa7b .
|
| |
|
| |
|
|
|
|
| |
use_fallback_verifier/trusted_mtas.
|
| |
|
|
|
|
|
| |
Unlike slapcat(1) it doesn't require write access to ~openldap, so we
don't have to weaken bacula-fd.service.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This is needed for BS4's navbar-toggler-icon which uses an SVG
background-image.
|
|
|
|
| |
Add frame-ancestors and form-action.
|
| |
|
|
|
|
|
|
| |
And drop -ldap from all roles other than MX. -lmdb is included in
roles/common but it can be helpful to have it individual roles as well
as they can be run individually.
|
|
|
|
| |
Run as a dedicated user, not ‘postfix’.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user. We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.
The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).
OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around. This is fair.
|
|
|
|
|
|
|
|
| |
This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f.
There are no relevant interface changes between 2.2.27 (stretch) and
2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h`
and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h .
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
| |
|
|
|
|
| |
This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
|
| |
|
| |
|
|
|
|
| |
To be done when we upgrade to Bullseye for more fine-grained control.
|
|
|
|
|
|
|
| |
This adds the following two ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
|
|
|
| |
We replace uwsgi in 70f16ac939497e3e424bad05c5f82ce36d1bceda.
|
|
|
|
|
| |
Marking incoming ESP packets and matching decapsulated packets doesn't
work with NAT traverslate (UDP encapsulation aka MOBIKE).
|
| |
|