| Commit message (Collapse) | Author | Age | Files |
|---|
| ... | |
| |
|
|
| |
Add frame-ancestors and form-action.
|
| | |
|
| |
|
|
|
|
| |
And drop -ldap from all roles other than MX. -lmdb is included in
roles/common but it can be helpful to have it individual roles as well
as they can be run individually.
|
| |
|
|
| |
Run as a dedicated user, not ‘postfix’.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user. We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.
The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).
OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around. This is fair.
|
| |
|
|
|
|
|
|
| |
This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f.
There are no relevant interface changes between 2.2.27 (stretch) and
2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h`
and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h .
|
| |
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
| |
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
| | |
|
| |
|
|
| |
This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
|
| | |
|
| | |
|
| |
|
|
| |
To be done when we upgrade to Bullseye for more fine-grained control.
|
| |
|
|
|
|
|
| |
This adds the following two ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
| |
|
|
| |
We replace uwsgi in 70f16ac939497e3e424bad05c5f82ce36d1bceda.
|
| |
|
|
|
| |
Marking incoming ESP packets and matching decapsulated packets doesn't
work with NAT traverslate (UDP encapsulation aka MOBIKE).
|
| | |
|
| | |
|
| |
|
|
| |
For use with Nextcloud 18, cf. https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx .
|
| |
|
|
|
| |
We also rename the ‘lacme’ system user to ‘_lacme’ per Debian Policy
§9.2.1: https://www.debian.org/doc/debian-policy/ch-opersys.html#introduction .
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
We leave dynamic pages (those passed to PHP-FPM) alone for now:
compressing them would make us vulnerable to BREACH attacks. This will
be revisited once Roundcube 1.5 is released: 1.5 adds support for the
same-site cookie attribute which once set to 'Strict' makes it immune to
BREACH attacks:
https://github.com/roundcube/roundcubemail/pull/6772
https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies
|
| |
|
|
|
| |
$ find -L /usr/share/roundcube/{plugins,program/js,program/resources,skins} -xtype f -printf "%f\\n" \
| sed -r "s/^([^.]+)(.*)/\1\2\t\2/" | sort -k2 | uniq -c -f1
|
| | |
|
| | |
|
| |
|
|
| |
They don't appear to be supported anymore.
|
| |
|
|
|
| |
It doesn't integrate too well with the new elastic theme at the moment.
https://github.com/corbosman/keyboard_shortcuts
|
| | |
|
| |
|
|
|
| |
We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1)
for the elastic theme.
|
| |
|
|
| |
lacme now ships that file as /etc/lacme/nginx.conf.
|
| |
|
|
|
|
|
|
| |
For postfix, don't defer if "abused legit". (I.e., DBL return code in
the 127.0.1.100+ range.) This used to work for Postfix 3.1.14 (Stretch)
but for 3.4.8 (Buster) the 'defer_if_reject' also applies to
$smtpd_relay_restrictions, to reject_unauth_destination &
reject_unlisted_recipient in particular.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
On the infrastructure boundary. We don't reject/quarantine as it would
affect members who forward their mail sent to <user@example.com> to
<user@fripost.org>. Members can install Sieve rules to send any
messages with failed Authentication-Results headers directly in their
spambox.
|
| |
|
|
|
| |
We shouldn't use RuntimeDirectory to create it anew because is belongs
to the Sympa daemon and WWSympa looks up for PID files in there.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
There is a real security gain in not using the 'www-data' user: nginx
workers can't read Nextcloud config files and data directory, so should
our nginx configuration be insecure a leak is much less likely.
|
| |
|
|
| |
This was forgotten in 0bfbe0e49f7fc77abfe7bb5d92c72dbdf6742204.
|
| | |
|
| |
|
|
|
|
| |
Also, update baseline to Debian 10 (codename Buster) and deploy a local
Redis instance for Transactional File Locking
https://docs.nextcloud.com/server/18/admin_manual/configuration_server/caching_configuration.html#id2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Cf. https://lists.debian.org/debian-devel-announce/2020/04/msg00004.html . \o/
It's also fairly easy to deploy onto the Debian infrastucture:
$ USERNAME="guilhem"
$ SELECTOR="5d30c523ff3622ed454230a16a11ddf6.$USERNAME.user"
$ printf "dkimPubKey: %s %s\n" "$SELECTOR" \
"$(openssl pkey -pubin -in "./certs/dkim/$SELECTOR:debian.org.pub" -outform DER | base64 -w0)" \
| gpg --clearsign | s-nail -r "USERNAME@debian.org" -s dkimPubKey changes@db.debian.org
|
| |
|
|
|
|
|
|
| |
Since 1.5 (Buster) APT supports https:// natively. There is no need to
install ‘apt-transport-https’ (now a dummy transitional package)
anymore. Plain-text connection don't undermine security as APT checks
package OpenPGP signatures locally, but there is no reason not to use
TLS here.
|
| |
|
|
|
|
|
|
|
| |
* Use nftables sets with a timeout
* Start daemon with a hardened unit file and restricted Capability
Bounding Set. (This requires to change the log path to
/var/log/fail2ban/*.)
* Skip database as we don't care about persistence.
* Refactor jail.local
|
