summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
...
* postfix-sender-login: terminate the worker after 32*$nProc connections to ↵Guilhem Moulin2017-06-011
| | | | release ressources.
* postfix-sender-login: handle EINTR in read(2) and write(2) calls.Guilhem Moulin2017-06-011
|
* postfix-sender-login: pre-fork 2 servers.Guilhem Moulin2017-06-011
| | | | | On Linux perl's allow multiple children to block in a call to accept(2) so we don't need to place a lock around the call.
* Don't make Roundcube add a 'X-Sender' header with the sender's identity.Guilhem Moulin2017-06-011
|
* Don't let authenticated client use arbitrary sender addresses.Guilhem Moulin2017-06-0110
| | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
* /lib/systemd/system → /etc/systemd/systemGuilhem Moulin2017-05-3117
|
* Also install non-free firmwares on civett.Guilhem Moulin2017-05-302
|
* Install more sympa dependencies.Guilhem Moulin2017-05-291
|
* Use blackhole subdomain for sender addresses of verify probes.Guilhem Moulin2017-05-163
| | | | | | | | | | | These addresses need to be accepted on the MX:es, as recipients sometimes phone back during the SMTP session to check whether the sender exists. Since a time-dependent suffix is added to the local part (cf. http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's not enough to drop incoming mails to ‘double-bounce@fripost.org’, and it's impractical to do the same for /^double-bounce.*@fripost\.org$/.
* Change group of executables in /usr/local/{bin,sbin} from root to staff.Guilhem Moulin2017-05-147
|
* webmail: use Zend opcache and configure APCu.Guilhem Moulin2017-05-143
|
* sympa: don't tweak /etc/logrotate.d/sympa.Guilhem Moulin2017-05-141
|
* wwsympa: allow write access to /var/spool/sympa.Guilhem Moulin2017-05-141
| | | | Request to post and moderate messages using the web interface.
* MSA: reject null sender address.Guilhem Moulin2017-05-144
|
* IMAP: new script list-users.Guilhem Moulin2017-05-142
|
* Fix Ansible 2.2.0 compatibility of a Jinja2 template.Guilhem Moulin2017-01-141
|
* Allow SMTP client from whitelisted IPs to bypass postscreen checks.Guilhem Moulin2017-01-141
|
* nginx: set Referrer-Policy HTTP header to "no-referrer".Guilhem Moulin2016-12-131
|
* nginx: add support for HTTP/2.Guilhem Moulin2016-12-135
|
* dovecot: Deduplicate attachments hourly, just before automatic backup.Guilhem Moulin2016-12-111
|
* dovecot: use Single-Instance Storage for mail attachments.Guilhem Moulin2016-12-104
|
* More logcheck-database tweaks.Guilhem Moulin2016-12-081
|
* wiki: Add instruction for how to add the post-update hook.Guilhem Moulin2016-12-081
|
* Dovecot: Explicitly disable LDAP.Guilhem Moulin2016-12-081
|
* gitolite: allow hook.* git config keys.Guilhem Moulin2016-12-081
|
* Upgrade to lacme 0.2-1.Guilhem Moulin2016-12-082
|
* Webmail: Install XCache (PHP opcode cacher).Guilhem Moulin2016-12-081
|
* Dovecot: use fallocate(2) to preallocate new mdbox files.Guilhem Moulin2016-12-081
|
* Postscreen: Give temporary whitelist status to primary MX addresses only.Guilhem Moulin2016-09-201
|
* systemd: Ensure sympa service is enabled.Guilhem Moulin2016-09-181
|
* lacme-certs.conf: don't restart but reload dovecot after renewing IMAPS cert.Guilhem Moulin2016-09-181
| | | | | | Unfortunately as of Debian 8.6 (Jessie) dovecot's service file doesn't have a “Reload” directive, so we can't use `/bin/systemctl restart dovecot` as notification. It'll be fixed in Stretch, though.
* Postfix: ensure common aliases are present.Guilhem Moulin2016-09-183
|
* FreshClam: change ownership of /etc/clamav/freshclam.conf.Guilhem Moulin2016-09-181
| | | | | | | | To match the stock version shipped by clamav-freshclam 0.99.2+dfsg-0+deb8u2 ~$ stat -c '%U:%G %a' /etc/clamav/freshclam.conf clamav:adm 444
* Firewall: allow duplicates rules.Guilhem Moulin2016-09-181
|
* More logcheck-database tweaks.Guilhem Moulin2016-08-222
|
* HSTS: use the standard capitalization of includeSubDomains.Guilhem Moulin2016-07-121
| | | | Cf. RFC 6797 sec. 6.1.2.
* postfix: Remove obsolete templates tls_policy/relay_clientcerts.Guilhem Moulin2016-07-124
|
* postfix: commit the master.cf symlinks.Guilhem Moulin2016-07-125
|
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-1213
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks.Guilhem Moulin2016-07-102
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-1013
|
* Postfix MX/MSA instances: put certs in the the instance's $config_directory.Guilhem Moulin2016-07-105
|
* Postfix MX/MSA instances: don't ask the remote SMTP client for a client ↵Guilhem Moulin2016-07-102
| | | | | | | certificate. See postconf(5). This avoids the “(Client did not present a certificate)” messages in the Received headers.
* Postfix: avoid hardcoding the instance names.Guilhem Moulin2016-07-102
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-1012
|
* postfix: Don't explicitly set inet_interfaces=all as it's the default.Guilhem Moulin2016-07-105
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-107
|
* Route SMTP traffic from the webmail through IPsec.Guilhem Moulin2016-07-108
|
* More logcheck-database tweaks.Guilhem Moulin2016-07-092
|
* Localize the NTP pool hostnames.Guilhem Moulin2016-07-091
|