summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
* wibbleGuilhem Moulin2015-06-076
|
* Configure dovecot's antispam filter.Guilhem Moulin2015-06-076
| | | | | | | | | | | | | Mails to be retrained are stored in the spooldir /home/mail/spamspool; later a daemon catches them up and feed them to sa-learn(1p). (On busy systems batch-process the learning should be much more efficient.) The folder transisition matrix along with the corresponding actions can be found there: http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt See also dovecot-antispam(7).
* Enable IMAP virtual mailboxes.Guilhem Moulin2015-06-077
| | | | | | | | | | | | | | Using dovecot's 'virtual' plugin, cf. http://wiki2.dovecot.org/Plugins/Virtual The 'virtual/' namespace is visible in the NAMESPACE command (hidden=no), but not in LIST (list=no). This should ensure that the namespace isn't automatically synced by offlineimap, but nevertheless visible by roundcube, cf. http://trac.roundcube.net/ticket/1486796 http://mailman2.u.washington.edu/pipermail/imap-protocol/2010-May/001076.html
* wibbleGuilhem Moulin2015-06-0711
|
* Include amavisd-new's LDAP schema.Guilhem Moulin2015-06-071
| | | | | | It'd certainly be nicer if we didn't have to deploy amavis' schema everywhere, but we need the 'objectClass' in our replicates, hence they need to be aware of the 'amavisAccount' class.
* Configure the content filter.Guilhem Moulin2015-06-0714
| | | | | | | | | | | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
* wibbleGuilhem Moulin2015-06-072
|
* oopsGuilhem Moulin2015-06-071
|
* Install common packages.Guilhem Moulin2015-06-071
|
* Configure S.M.A.R.T.Guilhem Moulin2015-06-072
|
* Configure NTP.Guilhem Moulin2015-06-075
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* Rename the role 'mx' into 'MX'.Guilhem Moulin2015-06-0714
| | | | Other abreviations are upper case.
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-078
|
* Configure the Mail Delivery Agent.Guilhem Moulin2015-06-079
|
* wibbleGuilhem Moulin2015-06-074
|
* Configure the IMAP server.Guilhem Moulin2015-06-0714
| | | | (For now, only LMTP and IMAP processes, without replication.)
* oopsGuilhem Moulin2015-06-071
|
* Configure the LDAP provider.Guilhem Moulin2015-06-073
| | | | (Hence the SyncProv overlay.)
* LDAP Sync Replication.Guilhem Moulin2015-06-073
|
* Postfix is compiled without SASL support.Guilhem Moulin2015-06-077
| | | | As of 2.9.6 (2.10), at least. See bug #730848.
* Configure the MX:es.Guilhem Moulin2015-06-0716
|
* Provision /etc/default/slapdGuilhem Moulin2015-06-072
| | | | | | | This is because the UNIX domain socket to connect to when performing LDAP lookups needs to be in the chroot. Also, don't open a INET socket unless we're a Sync Provider.
* Share master.cf accross all Postfix instances.Guilhem Moulin2015-06-073
| | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.)
* Use a dedicated SMTP port for samhain.Guilhem Moulin2015-06-074
| | | | | | | It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian
* Allow flexible ACLs for SASL's EXTERNAL mechanism.Guilhem Moulin2015-06-071
| | | | | | "username=postfix,cn=peercred,cn=external,cn=auth" is replaced by "gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102 is postfix's UID and 106 its primary GID (looked up from /etc/passwd).
* Reorganization.Guilhem Moulin2015-06-078
|
* Optimize LDAP modifications.Guilhem Moulin2015-06-071
| | | | | | | For non-indexed attributes, do not ask the LDAP server to modify values in the symmetric difference of A (the entry found in the directory) and B (the target). That is, we replace A by B only when they are disjoint; otherwise we remove values in A-B and add those in B-A.
* Load our schema *before* the database.Guilhem Moulin2015-06-071
| | | | Since indices are specified in the database LDIF.
* Reformulate the headers showing the license.Guilhem Moulin2015-06-076
| | | | | To be clearer, and to follow the recommendation of the FSF, we include a full header rather than a single sentence.
* Configure debsecan.Guilhem Moulin2015-06-072
|
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-076
|
* Common MySQL configuration.Guilhem Moulin2015-06-072
|
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-077
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* Fix unattended-upgrades's configuration.Guilhem Moulin2015-06-071
| | | | | ${distro_codename} doesn't work properly there, so we put stable and/or oldstable instead.
* wibbleGuilhem Moulin2015-06-071
| | | | | Replaced [ -n "$string" ] with [ "$string" ], and [ -z "$string" ] with [ ! "$string" ].
* Replace the 'syslog' facility (5) by 'user' (1).Guilhem Moulin2015-06-072
| | | | | 'syslog' is meant for the messages generated internally by syslogd, whereas 'user' is for user-level messages.
* wibbleGuilhem Moulin2015-06-073
|
* Be more specific regarding the protocol in use for IPSec policies.Guilhem Moulin2015-06-073
| | | | We use ESP only, so other protocols shouldn't be ACCEPTed.
* Don't start daemons when there is a triggered handler.Guilhem Moulin2015-06-074
| | | | This is pointless since the service will be restarted anyway.
* Flush pending handlers between each include.Guilhem Moulin2015-06-076
| | | | | | | | | In particular, run 'apt-get update' right after configured APT, and restart daemon right after configured them. The advantage being that if ansible crashes in some "task", the earlier would already be restarted if neeeded. (This may not happen in the next run since the configuration should already be up to date.)
* We are not using nf_conntrack.Guilhem Moulin2015-06-071
|
* Autostart daemons.Guilhem Moulin2015-06-075
|
* Prohibit binding against the IP reserved for IPSec.Guilhem Moulin2015-06-073
| | | | | | | | | Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666
* Prefer maching on policy rather than marks.Guilhem Moulin2015-06-072
| | | | Also, use ESP tunnel mode instead of transport mode.
* Preserve canonical the order of IP tables.Guilhem Moulin2015-06-071
| | | | I.e., as packets are treated along the way: mangle -> nat -> filter.
* Documentation.Guilhem Moulin2015-06-071
|
* Use a dedicated, non-routable, IPv4 for IPSec.Guilhem Moulin2015-06-076
| | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
* Major refactoring of the firewall.Guilhem Moulin2015-06-072
| | | | | | | | | | Also, added some options: -f force: no confirmation asked -c check: check (dry-run) mode -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only
* Don't save dynamic rules.Guilhem Moulin2015-06-073
| | | | | These rules are automatically included by third-party servers such as strongSwan or fail2ban.
* Use a dedicated 'fail2ban' chain for fail2ban.Guilhem Moulin2015-06-072
| | | | So it doesn't mess with the high-priority rules regarding IPSec.