Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Dovecot: Explicitly disable LDAP. | Guilhem Moulin | 2016-12-08 | 1 |
| | ||||
* | gitolite: allow hook.* git config keys. | Guilhem Moulin | 2016-12-08 | 1 |
| | ||||
* | Upgrade to lacme 0.2-1. | Guilhem Moulin | 2016-12-08 | 2 |
| | ||||
* | Webmail: Install XCache (PHP opcode cacher). | Guilhem Moulin | 2016-12-08 | 1 |
| | ||||
* | Dovecot: use fallocate(2) to preallocate new mdbox files. | Guilhem Moulin | 2016-12-08 | 1 |
| | ||||
* | Postscreen: Give temporary whitelist status to primary MX addresses only. | Guilhem Moulin | 2016-09-20 | 1 |
| | ||||
* | systemd: Ensure sympa service is enabled. | Guilhem Moulin | 2016-09-18 | 1 |
| | ||||
* | lacme-certs.conf: don't restart but reload dovecot after renewing IMAPS cert. | Guilhem Moulin | 2016-09-18 | 1 |
| | | | | | | Unfortunately as of Debian 8.6 (Jessie) dovecot's service file doesn't have a “Reload” directive, so we can't use `/bin/systemctl restart dovecot` as notification. It'll be fixed in Stretch, though. | |||
* | Postfix: ensure common aliases are present. | Guilhem Moulin | 2016-09-18 | 3 |
| | ||||
* | FreshClam: change ownership of /etc/clamav/freshclam.conf. | Guilhem Moulin | 2016-09-18 | 1 |
| | | | | | | | | To match the stock version shipped by clamav-freshclam 0.99.2+dfsg-0+deb8u2 ~$ stat -c '%U:%G %a' /etc/clamav/freshclam.conf clamav:adm 444 | |||
* | Firewall: allow duplicates rules. | Guilhem Moulin | 2016-09-18 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-08-22 | 2 |
| | ||||
* | HSTS: use the standard capitalization of includeSubDomains. | Guilhem Moulin | 2016-07-12 | 1 |
| | | | | Cf. RFC 6797 sec. 6.1.2. | |||
* | postfix: Remove obsolete templates tls_policy/relay_clientcerts. | Guilhem Moulin | 2016-07-12 | 4 |
| | ||||
* | postfix: commit the master.cf symlinks. | Guilhem Moulin | 2016-07-12 | 5 |
| | ||||
* | nginx: Don't hard-code the HPKP headers. | Guilhem Moulin | 2016-07-12 | 13 |
| | | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out. | |||
* | Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks. | Guilhem Moulin | 2016-07-10 | 2 |
| | ||||
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 13 |
| | ||||
* | Postfix MX/MSA instances: put certs in the the instance's $config_directory. | Guilhem Moulin | 2016-07-10 | 5 |
| | ||||
* | Postfix MX/MSA instances: don't ask the remote SMTP client for a client ↵ | Guilhem Moulin | 2016-07-10 | 2 |
| | | | | | | | certificate. See postconf(5). This avoids the “(Client did not present a certificate)” messages in the Received headers. | |||
* | Postfix: avoid hardcoding the instance names. | Guilhem Moulin | 2016-07-10 | 2 |
| | ||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 12 |
| | ||||
* | postfix: Don't explicitly set inet_interfaces=all as it's the default. | Guilhem Moulin | 2016-07-10 | 5 |
| | ||||
* | Change the pubkey extension from .pem to .pub. | Guilhem Moulin | 2016-07-10 | 7 |
| | ||||
* | Route SMTP traffic from the webmail through IPsec. | Guilhem Moulin | 2016-07-10 | 8 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-07-09 | 2 |
| | ||||
* | Localize the NTP pool hostnames. | Guilhem Moulin | 2016-07-09 | 1 |
| | ||||
* | Localize the debian archive hostnames. | Guilhem Moulin | 2016-07-09 | 1 |
| | ||||
* | ClamAV (FreshClam): use a localized Database Mirror. | Guilhem Moulin | 2016-07-09 | 2 |
| | | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines. | |||
* | IMAP: don't include mailbox under the virtual namespace in LIST responses. | Guilhem Moulin | 2016-07-06 | 2 |
| | | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes. | |||
* | dovecot: use the MSA postfix instance for sieve redirection. | Guilhem Moulin | 2016-07-01 | 2 |
| | | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es. | |||
* | IPSec → IPsec | Guilhem Moulin | 2016-06-29 | 5 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-06-29 | 3 |
| | ||||
* | update-firewall.sh: COMMIT empty iptables rule files. | Guilhem Moulin | 2016-06-29 | 1 |
| | ||||
* | Postfix MSA: don't allow unauthenticated clients from $mynetworks. | Guilhem Moulin | 2016-06-29 | 1 |
| | ||||
* | certs/public: fetch each cert's pubkey (SPKI), not the cert itself. | Guilhem Moulin | 2016-06-15 | 7 |
| | | | | To avoid new commits upon cert renewal. | |||
* | Rename letsencrypt-tiny to lacme. | Guilhem Moulin | 2016-06-15 | 7 |
| | ||||
* | wwsympa systemd service file: Set PrivateTmp=yes. | Guilhem Moulin | 2016-06-07 | 1 |
| | | | | The CGI wants to create a temp file during bulk subcription. | |||
* | clamav: Don't set obsolete option 'AllowSupplementaryGroups'. | Guilhem Moulin | 2016-06-05 | 1 |
| | ||||
* | Use stunnel to secure the connection from the webmail to ldap.fripost.org. | Guilhem Moulin | 2016-06-05 | 5 |
| | | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting. | |||
* | postfix: rotate the sender address for verify probes. | Guilhem Moulin | 2016-06-02 | 2 |
| | | | | | In order to avoid ‘double-bounce@’ ending up on spammer mailing lists. See http://www.postfix.org/ADDRESS_VERIFICATION_README.html . | |||
* | Remove the IMAP caching proxy. | Guilhem Moulin | 2016-05-28 | 10 |
| | | | | | | | | | Dovecot imapc requires two authentication rounds to the IMAP backend for each connection. It seems suboptimal that Roundcube keeps connecting to the IMAP server for each new connection, but benchmarks shows little advantage in caching the IMAP sessions with imapproxy: http://www.dovecot.org/list/dovecot/2012-February/133544.html | |||
* | Roundcube: route IMAP and managesieve traffic through IPSec. | Guilhem Moulin | 2016-05-28 | 2 |
| | ||||
* | Roundcube: add a link to our webpage as support URL. | Guilhem Moulin | 2016-05-24 | 1 |
| | ||||
* | typo | Guilhem Moulin | 2016-05-24 | 1 |
| | ||||
* | IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. | Guilhem Moulin | 2016-05-24 | 3 |
| | | | | There is no need to bother with X.509 cruft here. | |||
* | dovecot: don't listen on the IP dedicated for IPSec when there is a single host. | Guilhem Moulin | 2016-05-23 | 1 |
| | ||||
* | Roundcube: add a warning regarding IMAP hostname change. | Guilhem Moulin | 2016-05-23 | 1 |
| | ||||
* | Dovecot imapc: use the version from jessie-backports. | Guilhem Moulin | 2016-05-23 | 7 |
| | | | | | Since many bug have been fixed since 2.2.13, and we really want passthrough search on the caching proxy. | |||
* | Dovecot imapc: don't hardcode the master IMAP server's IP. | Guilhem Moulin | 2016-05-23 | 3 |
| |