|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| ... |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.
The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.
We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:
  virtual_alias_maps:
    mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain
  transport_maps:
    mlmmj.localhost.localdomain mlmmj: | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Right now the list server cannot be hosted with a MX, due to bug 51:
    http://mlmmj.org/bugs/bug.php?id=51
Web archive can be compiled with MHonArc, but the web server
configuration is not there yet. | 
| | 
| 
| 
| 
| 
| | They were only a dirty hack for list commands à la Mailman such as
mylist-request. If we are to use another list manager such as mlmmj,
which uses a VERP delimiter instead, the problem disappears. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | It has to be performed last, to give a chance to be accepted as a
regular mailbox.
We introduce a new, dedicated, smtpd daemon whose only purpose is to
resolve catch-alls. | 
| | 
| 
| 
| 
| 
| | To avoid low-entropy conditions, see
    http://www.issihosts.com/haveged/ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Instead, we pretend that lists are valid users (via a match in the
mailbox_transport_maps) but choose a different transport (with the same
request in transport_maps).
The advantage is that we get rid of the ugly hack for list transport…
A minor drawback is that we now have two LDAP lookups instead of one for
non local addresses (ie, everything but reserved addresses). Hopefully
the requests are cached; but even if they aren't, querying a local LDAP
server is supposed to be cheap. | 
| | 
| 
| 
| 
| | Also, add the 'managesieve' RoundCube plugin to communicate with our
server. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | (Unless the webmail is itself a full IMAP server.) It replaces
RoundCube's own IMAP and message caches.
Dovecot's IMAPC storage backend is not very documented, but provides
smart IMAP proxying. References include:
http://dovecot.org/pipermail/dovecot/2011-January/056975.html
http://wiki2.dovecot.org/HowTo/ImapcProxy
http://wiki2.dovecot.org/Migration/Dsync | 
| | |  | 
| | 
| 
| 
| 
| 
| | RoundCubes lists subscribed mailboxes only (determined using
LIST-EXTENDED by default); also, it seems to ignore new subscriptions to
mailboxes not listed by the LIST command. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Also, turn off all TCP/IP listener ports. | 
| | 
| 
| 
| 
| | By using double quoted scalars, cf.
  https://groups.google.com/forum/#!topic/ansible-project/ZaB6o-eqDzw | 
| | 
| 
| 
| | See /usr/share/doc/spamassassin/README.Debian.gz | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Mails to be retrained are stored in the spooldir /home/mail/spamspool;
later a daemon catches them up and feed them to sa-learn(1p). (On busy
systems batch-process the learning should be much more efficient.)
The folder transisition matrix along with the corresponding actions can
be found there:
  http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt
See also dovecot-antispam(7). | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Using dovecot's 'virtual' plugin, cf.
  http://wiki2.dovecot.org/Plugins/Virtual
The 'virtual/' namespace is visible in the NAMESPACE command
(hidden=no), but not in LIST (list=no). This should ensure that the
namespace isn't automatically synced by offlineimap, but nevertheless
visible by roundcube, cf.
  http://trac.roundcube.net/ticket/1486796
  http://mailman2.u.washington.edu/pipermail/imap-protocol/2010-May/001076.html | 
| | |  | 
| | 
| 
| 
| 
| 
| | It'd certainly be nicer if we didn't have to deploy amavis' schema
everywhere, but we need the 'objectClass' in our replicates, hence they
need to be aware of the 'amavisAccount' class. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new.
Each user has his/her amavis preferences, and own Bayes filter (to
maximize privacy).
One question remains, though: how to set spamassassin's trusted_networks
/ internal_networks / msa_networks? It seems not obivious to get it
write with IPSec and dynamic IPs.
(Cf. https://wiki.apache.org/spamassassin/AwlWrongWay) | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | We use a "master" NTP server, which synchronizes against stratum 1
servers (hence is a stratum 2 itself); all other clients synchronize to
this master server through IPSec. | 
| | 
| 
| 
| | Other abreviations are upper case. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | (For now, only LMTP and IMAP processes, without replication.) | 
| | |  | 
| | 
| 
| 
| | (Hence the SyncProv overlay.) | 
| | |  | 
| | 
| 
| 
| | As of 2.9.6 (2.10), at least. See bug #730848. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | This is because the UNIX domain socket to connect to when performing
LDAP lookups needs to be in the chroot.
Also, don't open a INET socket unless we're a Sync Provider. | 
| | 
| 
| 
| 
| 
| | And use main.cf's 'master_service_disable' setting to deactivate each
service that's useless for a given instance. (Hence solve conflict when
trying to listen twice on the same port, for instance.) | 
| | 
| 
| 
| 
| 
| 
| | It's unfortunate that samhain cannot use the sendmail binary, and wants
to use a inet socket instead. We use a custom port to avoid
conflicts with the usual SMTP port the MX:es need to listen on.
See also: /usr/share/doc/samhain/TODO.Debian | 
| | 
| 
| 
| 
| 
| | "username=postfix,cn=peercred,cn=external,cn=auth" is replaced by
"gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102
is postfix's UID and 106 its primary GID (looked up from /etc/passwd). | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | For non-indexed attributes, do not ask the LDAP server to modify values
in the symmetric difference of A (the entry found in the directory) and
B (the target). That is, we replace A by B only when they are disjoint;
otherwise we remove values in A-B and add those in B-A. | 
| | 
| 
| 
| | Since indices are specified in the database LDIF. |