| Commit message (Collapse) | Author | Age | Files |
|---|
| |
|
|
| |
Run as a dedicated user, not ‘postfix’.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user. We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.
The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).
OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around. This is fair.
|
| |
|
|
|
|
|
|
| |
This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f.
There are no relevant interface changes between 2.2.27 (stretch) and
2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h`
and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h .
|
| |
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
| |
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
| | |
|
| |
|
|
| |
This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
|
| | |
|
| | |
|
| |
|
|
| |
To be done when we upgrade to Bullseye for more fine-grained control.
|
| |
|
|
|
|
|
| |
This adds the following two ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
| |
|
|
| |
We replace uwsgi in 70f16ac939497e3e424bad05c5f82ce36d1bceda.
|
| |
|
|
|
| |
Marking incoming ESP packets and matching decapsulated packets doesn't
work with NAT traverslate (UDP encapsulation aka MOBIKE).
|
| | |
|
| | |
|
| |
|
|
| |
For use with Nextcloud 18, cf. https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx .
|
| |
|
|
|
| |
We also rename the ‘lacme’ system user to ‘_lacme’ per Debian Policy
§9.2.1: https://www.debian.org/doc/debian-policy/ch-opersys.html#introduction .
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
We leave dynamic pages (those passed to PHP-FPM) alone for now:
compressing them would make us vulnerable to BREACH attacks. This will
be revisited once Roundcube 1.5 is released: 1.5 adds support for the
same-site cookie attribute which once set to 'Strict' makes it immune to
BREACH attacks:
https://github.com/roundcube/roundcubemail/pull/6772
https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies
|
| |
|
|
|
| |
$ find -L /usr/share/roundcube/{plugins,program/js,program/resources,skins} -xtype f -printf "%f\\n" \
| sed -r "s/^([^.]+)(.*)/\1\2\t\2/" | sort -k2 | uniq -c -f1
|
| | |
|
| | |
|
| |
|
|
| |
They don't appear to be supported anymore.
|
| |
|
|
|
| |
It doesn't integrate too well with the new elastic theme at the moment.
https://github.com/corbosman/keyboard_shortcuts
|
| | |
|
| |
|
|
|
| |
We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1)
for the elastic theme.
|
| |
|
|
| |
lacme now ships that file as /etc/lacme/nginx.conf.
|
| |
|
|
|
|
|
|
| |
For postfix, don't defer if "abused legit". (I.e., DBL return code in
the 127.0.1.100+ range.) This used to work for Postfix 3.1.14 (Stretch)
but for 3.4.8 (Buster) the 'defer_if_reject' also applies to
$smtpd_relay_restrictions, to reject_unauth_destination &
reject_unlisted_recipient in particular.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
On the infrastructure boundary. We don't reject/quarantine as it would
affect members who forward their mail sent to <user@example.com> to
<user@fripost.org>. Members can install Sieve rules to send any
messages with failed Authentication-Results headers directly in their
spambox.
|
| |
|
|
|
| |
We shouldn't use RuntimeDirectory to create it anew because is belongs
to the Sympa daemon and WWSympa looks up for PID files in there.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
There is a real security gain in not using the 'www-data' user: nginx
workers can't read Nextcloud config files and data directory, so should
our nginx configuration be insecure a leak is much less likely.
|
| |
|
|
| |
This was forgotten in 0bfbe0e49f7fc77abfe7bb5d92c72dbdf6742204.
|
| | |
|
| |
|
|
|
|
| |
Also, update baseline to Debian 10 (codename Buster) and deploy a local
Redis instance for Transactional File Locking
https://docs.nextcloud.com/server/18/admin_manual/configuration_server/caching_configuration.html#id2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Cf. https://lists.debian.org/debian-devel-announce/2020/04/msg00004.html . \o/
It's also fairly easy to deploy onto the Debian infrastucture:
$ USERNAME="guilhem"
$ SELECTOR="5d30c523ff3622ed454230a16a11ddf6.$USERNAME.user"
$ printf "dkimPubKey: %s %s\n" "$SELECTOR" \
"$(openssl pkey -pubin -in "./certs/dkim/$SELECTOR:debian.org.pub" -outform DER | base64 -w0)" \
| gpg --clearsign | s-nail -r "USERNAME@debian.org" -s dkimPubKey changes@db.debian.org
|
| |
|
|
|
|
|
|
| |
Since 1.5 (Buster) APT supports https:// natively. There is no need to
install ‘apt-transport-https’ (now a dummy transitional package)
anymore. Plain-text connection don't undermine security as APT checks
package OpenPGP signatures locally, but there is no reason not to use
TLS here.
|
| |
|
|
|
|
|
|
|
| |
* Use nftables sets with a timeout
* Start daemon with a hardened unit file and restricted Capability
Bounding Set. (This requires to change the log path to
/var/log/fail2ban/*.)
* Skip database as we don't care about persistence.
* Refactor jail.local
|
| |
|
|
| |
Debian Buster uses the nftables framework by default.
|
| |
|
|
|
|
| |
Our internal IPs don't have a reverse PTR record, and skipping the
resolution speeds up mail delivery.
http://www.postfix.org/postconf.5.html#smtpd_peername_lookup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This avoids
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set
to allow bad characters in group names by default, this will change, but
still be user configurable on deprecation. This feature will be removed
in version 2.10. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
[WARNING]: Invalid characters were found in group names but not
replaced, use -vvvv to see details
|
