summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
* postfix ≥3.0: don't advertise SMTPUTF8 support.Guilhem Moulin2018-12-061
| | | | | | | | | | | | | | | | | We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some downstream SMTP servers, not all of which are under our control. Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers yields undeliverable messages, and the bounces make us a potential backscatter source. So it's better to disable SMTPUTF8 at this point. Cf. also http://www.postfix.org/SMTPUTF8_README.html and https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 . See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 : “Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the envelope is definitely problematic for a receiver that does not support SMTPUTF8, while UTF8 in a message header is less so.”
* Upgrade 'ikiwiki-pandoc' to v0.5.1.Guilhem Moulin2018-12-061
| | | | | https://raw.githubusercontent.com/sciunto-org/ikiwiki-pandoc/v0.5.1/pandoc.pm Currently at commit 9292e45cea1be120adb3babd5b835b547f4c825a .
* Roundcube: improve serving of static resources.Guilhem Moulin2018-12-061
| | | | | | | | | | | | | | | We only serve whitelisted extensions (css, js, png, etc.), and only for some selected sub-directories. Access to everything else (incl. log files and config files) is denied with a 404. This is unlike upstream's .htaccess file, which blacklists restricted locations and happily serves the rest: https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8 To find out which extensions exist on the file system, run find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \ | sed -n 's/.*\.//p' | sort | uniq -c
* DKIM: also include the "d=" tag in key filenames, not only the "s=" tag.Guilhem Moulin2018-12-053
| | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily.
* Upgrade DKIM keys to rsa2048, and allow for multiple keys.Guilhem Moulin2018-12-043
|
* Install unbound on metal hosts.Guilhem Moulin2018-12-034
| | | | (A validating, recursive, caching DNS resolver.)
* Define new host "calima" serving Nextcloud.Guilhem Moulin2018-12-039
|
* Upgrade wiki baseline to Debian Stretch.Guilhem Moulin2018-12-034
|
* Upgrade MX baseline to Debian Stretch.Guilhem Moulin2018-12-031
|
* Upgrade webmail baseline to Debian Stretch.Guilhem Moulin2018-12-036
|
* Upgrade syntax to Ansible 2.7 (apt module).Guilhem Moulin2018-12-0325
|
* Postfix: replace cdb & btree tables with lmdb ones.Guilhem Moulin2018-12-0314
| | | | Cf. lmdb_table(5).
* IPsec: allow ISAKMP over IPv6.Guilhem Moulin2018-12-032
|
* Upgrade baseline to Debian Stretch.Guilhem Moulin2018-12-0323
|
* Skip samhain installation.Guilhem Moulin2018-12-034
| | | | It's become too verbose (too many false-positive)…
* Harden anti spam on the MX:es.Guilhem Moulin2018-06-095
|
* More logcheck-database tweaks.Guilhem Moulin2018-04-043
|
* lacme: explicitely bind to [::]:80.Guilhem Moulin2018-04-041
|
* Postfix: replace 'fifo' types with 'unix', as it's the new default.Guilhem Moulin2018-04-041
|
* sympa: wibbleGuilhem Moulin2018-04-042
|
* Firewall: Allow DNS queries over TCP.Guilhem Moulin2018-04-041
|
* APT: use deb.debian.org as archive source.Guilhem Moulin2018-04-041
|
* Postscreen: improve DNSBL sites and scores.Guilhem Moulin2018-04-041
|
* Amavis: bind server to INADDR_LOOPBACKGuilhem Moulin2018-04-041
|
* Perform recipient address verification on the MSA itself.Guilhem Moulin2018-04-044
|
* LDAP: Expose part of the database to Nextcloud.Guilhem Moulin2018-04-042
|
* Upgrade syntax to Ansible 2.5.Guilhem Moulin2018-04-043
|
* Upgrade syntax to Ansible 2.4.Guilhem Moulin2017-11-235
|
* More logcheck-database tweaks.Guilhem Moulin2017-09-143
|
* Fix detection of KVM guests.Guilhem Moulin2017-07-293
|
* rkhunter: Disable remote updates to fix CVE-2017-7480.Guilhem Moulin2017-07-291
|
* Use MariaDB as default MySQL flavor.Guilhem Moulin2017-07-295
|
* Don't install debsecan anymore by default.Guilhem Moulin2017-06-262
| | | | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789196
* MySQL: Use a single InnoDB file per table.Guilhem Moulin2017-06-151
|
* Webmail: don't allow outgoing TCP/993 connections.Guilhem Moulin2017-06-151
| | | | We're going through IPsec to communicate with the IMAP server.
* postfix-sender-login: strip extension before lookup.Guilhem Moulin2017-06-131
| | | | | | Users can add an extension (following postconf(5)'s $recipient_delimiter) to the local part of any envelope sender address already allowed.
* More logcheck-database tweaks.Guilhem Moulin2017-06-071
|
* postfix-msa: anonymize SASL-authenticated senders using IPv6.Guilhem Moulin2017-06-061
|
* dovecot-auth-proxy: Fix synopsis line.Guilhem Moulin2017-06-051
|
* postscreen: lower zen.spamhaus.org DNSBL score from 3 to 2 on the MX:es.Guilhem Moulin2017-06-051
| | | | | So being listed on that BL doesn't yield a flat reject if the IP isn't also listed to other lists.
* postfix-sender-login: wibbleGuilhem Moulin2017-06-052
|
* dovecot: enable user iteration and add a cronjob for `doveadm purge -A`Guilhem Moulin2017-06-059
|
* move postfix-sender-login.{service,socket} to files/.Guilhem Moulin2017-06-022
|
* postfix: enable XFORWARD command from our internal relays.Guilhem Moulin2017-06-021
|
* postfix: don't rate-limit our IPsec subnet.Guilhem Moulin2017-06-023
|
* postfix-sender-login: terminate the worker after 32*$nProc connections to ↵Guilhem Moulin2017-06-011
| | | | release ressources.
* postfix-sender-login: handle EINTR in read(2) and write(2) calls.Guilhem Moulin2017-06-011
|
* postfix-sender-login: pre-fork 2 servers.Guilhem Moulin2017-06-011
| | | | | On Linux perl's allow multiple children to block in a call to accept(2) so we don't need to place a lock around the call.
* Don't make Roundcube add a 'X-Sender' header with the sender's identity.Guilhem Moulin2017-06-011
|
* Don't let authenticated client use arbitrary sender addresses.Guilhem Moulin2017-06-0110
| | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.