| Commit message (Collapse) | Author | Age | Files |
|
|
|
|
| |
Also, switch from rsa4096 to ed25519 and use a separate key for each
syncrepl.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
As of bullseye amavis needs the private key material to be reabled by
the 'amavis' user.
|
| |
|
|
|
|
|
|
|
| |
Provisioning /etc/dovecot/conf.d/*.conf is a pain on upgrade so we
consolidate that by reverting these files to the distro-provided ones
and shipping a single /etc/dovecot/conf.d/99-local.conf override
instead.
|
|
|
|
| |
Cf. msgid=<ZFe5tjHTGbVemNTD@fripost.org>
|
| |
|
| |
|
|
|
|
| |
Cf. msgid=<c368f04c-b8d1-4623-98f0-b6a3b724f90d@dubre.me>.
|
|
|
|
| |
Per upstream recommendation at https://cloud.fripost.org/settings/admin/overview .
|
|
|
|
|
|
| |
See https://github.com/sympa-community/sympa/issues/879 ,
https://www.sympa.community/manual/upgrade/notes.html#from-version-prior-to-6256 and
https://www.sympa.community/gpldoc/man/sympa_config.5.html#wwsympa_url_local .
|
| |
|
| |
|
| |
|
|
|
|
| |
These days upstream's ‘mysql_user’ is good enough.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
This silences the following deprecation warning:
Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
|
| |
|
|
|
|
| |
For a smooth upgrade to Bullseye's lacme 0.8-1.
|
|
|
|
| |
ansible 2.10.7 uses "ansible-ansible.legacy.stat: Invoked with […]".
|
|
|
|
|
| |
We want to give people the time add the key to DNS before we update the
signing policy.
|
| |
|
| |
|
|
|
|
| |
See https://salsa.debian.org/roundcube-team/roundcube/-/commit/f1e89494e8b777d69564e67f2d8b47ac84eb02f4 .
|
|
|
|
| |
Per https://salsa.debian.org/roundcube-team/roundcube/commit/7df02624eec4857053432d8ebe9b4e2b36f22bc5 .
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This solves an issue where an attacker would strip the STARTTLS keyword
from the EHLO response, thereby preventing connection upgrade; or spoof
DNS responses to route outgoing messages to an attacker-controlled
SMTPd, thereby allowing message MiTM'ing. With key material pinning in
place, smtp(8postfix) immediately aborts the connection (before the MAIL
command) and places the message into the deferred queue instead:
postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified)
This applies to the smarthost as well as for verification probes on the
Mail Submission Agent. Placing message into the deferred queue might
yield denial of service, but we argue that it's better than a privacy
leak.
This only covers *internal messages* (from Fripost to Fripost) though:
only messages with ‘fripost.org’ (or a subdomain of such) as recipient
domain. Other domains, even those using mx[12].fripost.org as MX, are
not covered. A scalable solution for arbitrary domains would involve
either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there
is some merit in hardcoding our internal policy (when the client and
server are both under our control) in the configuration. It for
instance enables us to harden TLS ciphers and protocols, and makes the
verification logic independent of DNS.
|
|
|
|
| |
See https://bugs.debian.org/975862 .
|
|
|
|
|
| |
Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap
so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.
|
| |
|
|
|
|
| |
See https://bugs.debian.org/932594#15 .
|
| |
|
|
|
|
| |
Regression from ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3.
|
|
|
|
|
|
|
|
|
| |
(Excluding our NTP master.) It's simpler, arguably more secure, and
provides enough functionality when only simple client use-cases are
desired.
We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd
can connect to the fallbacks NTP servers.
|
|
|
|
|
|
| |
In particular, trigger weekly differential backups for mailboxes, and exclude
Dovecot's transaction/index/etc log and cache files which are constantly
updated but not useful assets to backup.
|
| |
|
|
|
|
| |
This is in particular needed for traceroutes and routing loop detection.
|