summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
...
* wibbleGuilhem Moulin2015-06-073
|
* Fix the catch-all resolution again.Guilhem Moulin2015-06-0718
| | | | | | | | | | | | | | | | | | | | We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
* Mailing lists (using mlmmj).Guilhem Moulin2015-06-0714
| | | | | | | | | Right now the list server cannot be hosted with a MX, due to bug 51: http://mlmmj.org/bugs/bug.php?id=51 Web archive can be compiled with MHonArc, but the web server configuration is not there yet.
* Remove list commands.Guilhem Moulin2015-06-072
| | | | | | They were only a dirty hack for list commands à la Mailman such as mylist-request. If we are to use another list manager such as mlmmj, which uses a VERP delimiter instead, the problem disappears.
* Don't pass the client information unless necessary.Guilhem Moulin2015-06-072
|
* Don't use IPSec to relay messages to localhost.Guilhem Moulin2015-06-074
|
* Excplicitely make local services run on localhost.Guilhem Moulin2015-06-074
|
* typoGuilhem Moulin2015-06-076
|
* Fix catchall resolution.Guilhem Moulin2015-06-0716
| | | | | | | | It has to be performed last, to give a chance to be accepted as a regular mailbox. We introduce a new, dedicated, smtpd daemon whose only purpose is to resolve catch-alls.
* Install haveged.Guilhem Moulin2015-06-072
| | | | | | To avoid low-entropy conditions, see http://www.issihosts.com/haveged/
* Install ClamAV.Guilhem Moulin2015-06-072
|
* Remove the 'fripostLocalAlias' attribute.Guilhem Moulin2015-06-076
| | | | | | | | | | | | | Instead, we pretend that lists are valid users (via a match in the mailbox_transport_maps) but choose a different transport (with the same request in transport_maps). The advantage is that we get rid of the ugly hack for list transport… A minor drawback is that we now have two LDAP lookups instead of one for non local addresses (ie, everything but reserved addresses). Hopefully the requests are cached; but even if they aren't, querying a local LDAP server is supposed to be cheap.
* Configure Sieve and ManageSieve.Guilhem Moulin2015-06-076
| | | | | Also, add the 'managesieve' RoundCube plugin to communicate with our server.
* Use a local IMAP caching proxy under the webmail.Guilhem Moulin2015-06-0710
| | | | | | | | | | | | (Unless the webmail is itself a full IMAP server.) It replaces RoundCube's own IMAP and message caches. Dovecot's IMAPC storage backend is not very documented, but provides smart IMAP proxying. References include: http://dovecot.org/pipermail/dovecot/2011-January/056975.html http://wiki2.dovecot.org/HowTo/ImapcProxy http://wiki2.dovecot.org/Migration/Dsync
* wibbleGuilhem Moulin2015-06-072
|
* Make the virtual mailboxes visible under RoundCube.Guilhem Moulin2015-06-077
| | | | | | RoundCubes lists subscribed mailboxes only (determined using LIST-EXTENDED by default); also, it seems to ignore new subscriptions to mailboxes not listed by the LIST command.
* Configure the webmail.Guilhem Moulin2015-06-0716
|
* Common web configuration.Guilhem Moulin2015-06-076
|
* Load relevant MySQL authplugins.Guilhem Moulin2015-06-073
| | | | Also, turn off all TCP/IP listener ports.
* Force expansion of escape sequences.Guilhem Moulin2015-06-073
| | | | | By using double quoted scalars, cf. https://groups.google.com/forum/#!topic/ansible-project/ZaB6o-eqDzw
* Compile Spamassassin rules.Guilhem Moulin2015-06-073
| | | | See /usr/share/doc/spamassassin/README.Debian.gz
* Auto-update Spamassassin's ruleset.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-076
|
* Configure dovecot's antispam filter.Guilhem Moulin2015-06-076
| | | | | | | | | | | | | Mails to be retrained are stored in the spooldir /home/mail/spamspool; later a daemon catches them up and feed them to sa-learn(1p). (On busy systems batch-process the learning should be much more efficient.) The folder transisition matrix along with the corresponding actions can be found there: http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt See also dovecot-antispam(7).
* Enable IMAP virtual mailboxes.Guilhem Moulin2015-06-077
| | | | | | | | | | | | | | Using dovecot's 'virtual' plugin, cf. http://wiki2.dovecot.org/Plugins/Virtual The 'virtual/' namespace is visible in the NAMESPACE command (hidden=no), but not in LIST (list=no). This should ensure that the namespace isn't automatically synced by offlineimap, but nevertheless visible by roundcube, cf. http://trac.roundcube.net/ticket/1486796 http://mailman2.u.washington.edu/pipermail/imap-protocol/2010-May/001076.html
* wibbleGuilhem Moulin2015-06-0711
|
* Include amavisd-new's LDAP schema.Guilhem Moulin2015-06-071
| | | | | | It'd certainly be nicer if we didn't have to deploy amavis' schema everywhere, but we need the 'objectClass' in our replicates, hence they need to be aware of the 'amavisAccount' class.
* Configure the content filter.Guilhem Moulin2015-06-0714
| | | | | | | | | | | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
* wibbleGuilhem Moulin2015-06-072
|
* oopsGuilhem Moulin2015-06-071
|
* Install common packages.Guilhem Moulin2015-06-071
|
* Configure S.M.A.R.T.Guilhem Moulin2015-06-072
|
* Configure NTP.Guilhem Moulin2015-06-075
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* Rename the role 'mx' into 'MX'.Guilhem Moulin2015-06-0714
| | | | Other abreviations are upper case.
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-078
|
* Configure the Mail Delivery Agent.Guilhem Moulin2015-06-079
|
* wibbleGuilhem Moulin2015-06-074
|
* Configure the IMAP server.Guilhem Moulin2015-06-0714
| | | | (For now, only LMTP and IMAP processes, without replication.)
* oopsGuilhem Moulin2015-06-071
|
* Configure the LDAP provider.Guilhem Moulin2015-06-073
| | | | (Hence the SyncProv overlay.)
* LDAP Sync Replication.Guilhem Moulin2015-06-073
|
* Postfix is compiled without SASL support.Guilhem Moulin2015-06-077
| | | | As of 2.9.6 (2.10), at least. See bug #730848.
* Configure the MX:es.Guilhem Moulin2015-06-0716
|
* Provision /etc/default/slapdGuilhem Moulin2015-06-072
| | | | | | | This is because the UNIX domain socket to connect to when performing LDAP lookups needs to be in the chroot. Also, don't open a INET socket unless we're a Sync Provider.
* Share master.cf accross all Postfix instances.Guilhem Moulin2015-06-073
| | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.)
* Use a dedicated SMTP port for samhain.Guilhem Moulin2015-06-074
| | | | | | | It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian
* Allow flexible ACLs for SASL's EXTERNAL mechanism.Guilhem Moulin2015-06-071
| | | | | | "username=postfix,cn=peercred,cn=external,cn=auth" is replaced by "gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102 is postfix's UID and 106 its primary GID (looked up from /etc/passwd).
* Reorganization.Guilhem Moulin2015-06-078
|
* Optimize LDAP modifications.Guilhem Moulin2015-06-071
| | | | | | | For non-indexed attributes, do not ask the LDAP server to modify values in the symmetric difference of A (the entry found in the directory) and B (the target). That is, we replace A by B only when they are disjoint; otherwise we remove values in A-B and add those in B-A.
* Load our schema *before* the database.Guilhem Moulin2015-06-071
| | | | Since indices are specified in the database LDIF.