Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | postfix: master.cf wibble | Guilhem Moulin | 2016-05-18 | 1 | |
| | |||||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 7 | |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | ||||
* | postfix: unset 'smtpd_tls_session_cache_database'. | Guilhem Moulin | 2016-05-18 | 5 | |
| | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935 | ||||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 8 | |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | ||||
* | postfix: disable weak ciphers for the 'encrypt' TLS security level. | Guilhem Moulin | 2016-05-18 | 3 | |
| | | | | That is, on the MSA and in our local infrastructure. | ||||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 13 | |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | ||||
* | dovecot imapc: wibble | Guilhem Moulin | 2016-05-17 | 2 | |
| | |||||
* | roundube: Pin X.509 certificate for sieve.fripost.org:4190. | Guilhem Moulin | 2016-05-17 | 2 | |
| | |||||
* | bacula: Set heartbeat options. | Guilhem Moulin | 2016-05-12 | 6 | |
| | | | | and also TCP keepalive options in the stunnel config. | ||||
* | bacula-sd: wibble | Guilhem Moulin | 2016-05-12 | 1 | |
| | |||||
* | bacula-dir: Fix Reschedule Interval from 17 months to 17 mins. | Guilhem Moulin | 2016-05-12 | 1 | |
| | |||||
* | MySQL: set flush InnoDB flush method to 'O_DIRECT' | Guilhem Moulin | 2016-05-12 | 1 | |
| | |||||
* | Add hardening options to our systemd unit files. | Guilhem Moulin | 2016-05-12 | 6 | |
| | |||||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 26 | |
| | |||||
* | Roundcube's CSP: remove 'upgrade-insecure-requests' and ↵ | Guilhem Moulin | 2016-04-08 | 1 | |
| | | | | 'block-all-mixed-content'. | ||||
* | Roundcube's CSP: allow loading images from data: URIs and arbitrary URLs. | Guilhem Moulin | 2016-04-07 | 1 | |
| | | | | Per user request: https://wiki.fripost.org/tracker/CSP_too_strict/ | ||||
* | nginx: update ssl_ciphers to follow Mozilla's TLS server recommendation. | Guilhem Moulin | 2016-04-02 | 1 | |
| | | | | https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate | ||||
* | Set frame-ancestors from 'none' to 'self' in roundcube's CSP. | Guilhem Moulin | 2016-04-02 | 1 | |
| | |||||
* | wibble | Guilhem Moulin | 2016-04-02 | 3 | |
| | |||||
* | Set a HPKP on the webmail, website/wiki/git and list manager. | Guilhem Moulin | 2016-04-01 | 5 | |
| | |||||
* | Set a CSP on the webmail, website/wiki and list manager. | Guilhem Moulin | 2016-04-01 | 5 | |
| | |||||
* | sysctl: don't set IPv6 privacy extensions globaly. | Guilhem Moulin | 2016-04-01 | 1 | |
| | |||||
* | sysctl: set net.ipv6.conf.all.accept_ra = 0. | Guilhem Moulin | 2016-03-30 | 1 | |
| | |||||
* | Set HTTP security headers. | Guilhem Moulin | 2016-03-30 | 9 | |
| | | | | See https://securityheaders.io . | ||||
* | Replace LE's X1 intermediate CA with X3 since the latter has better support ↵ | Guilhem Moulin | 2016-03-28 | 1 | |
| | | | | for XP. | ||||
* | munin-master CGI: add application-level ACLs to keep non-local users at bay. | Guilhem Moulin | 2016-03-21 | 1 | |
| | |||||
* | Remove SMTP message size limit on non public MTAs. | Guilhem Moulin | 2016-03-21 | 3 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-03-13 | 1 | |
| | |||||
* | Let's Encrypt: Only reload (as opposed to restart) postfix/nginx after ↵ | Guilhem Moulin | 2016-03-05 | 1 | |
| | | | | renewing the cert | ||||
* | Amavis: use the LMTP protocol in the policy banks. | Guilhem Moulin | 2016-03-03 | 1 | |
| | |||||
* | Let's Encrypt | Guilhem Moulin | 2016-03-02 | 12 | |
| | |||||
* | cgit: Create cache directory /var/cache/cgit | Guilhem Moulin | 2016-03-02 | 1 | |
| | |||||
* | Ansible: Using bare variables is deprecated, and will be removed in a future ↵ | Guilhem Moulin | 2016-03-02 | 4 | |
| | | | | release. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-02-17 | 1 | |
| | |||||
* | s/ansible_ssh_/ansible_/ | Guilhem Moulin | 2016-02-12 | 2 | |
| | |||||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 23 | |
| | |||||
* | Update all Fripost links from http:// to https://. | Guilhem Moulin | 2015-12-28 | 3 | |
| | |||||
* | Only install letsencrypt-tiny to the relevant hosts. | Guilhem Moulin | 2015-12-28 | 2 | |
| | |||||
* | Fix Let's Encrypt CAfile. | Guilhem Moulin | 2015-12-28 | 1 | |
| | |||||
* | Copy and install Let's Encrypt ACME client. | Guilhem Moulin | 2015-12-20 | 1 | |
| | |||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 19 | |
| | |||||
* | nginx: Move include.d/* to snippets/. | Guilhem Moulin | 2015-12-20 | 12 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-12-15 | 2 | |
| | |||||
* | dovecot: remove !SSLv2 from ssl_cipher_list. | Guilhem Moulin | 2015-12-15 | 1 | |
| | |||||
* | nginx: s/conf.d/include.d/ | Guilhem Moulin | 2015-12-15 | 7 | |
| | |||||
* | wibble | Guilhem Moulin | 2015-12-09 | 2 | |
| | |||||
* | ngnix: mv ssl/config conf.d/ssl | Guilhem Moulin | 2015-12-09 | 7 | |
| | |||||
* | typo | Guilhem Moulin | 2015-12-04 | 1 | |
| | |||||
* | Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵ | Guilhem Moulin | 2015-12-03 | 4 | |
| | | | | cert itself. | ||||
* | Use a dedicated subdomain for ManageSieve. | Guilhem Moulin | 2015-12-03 | 1 | |
| |