summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Matthijs Kooijman [Mon, 8 Feb 2010 14:52:04 +0000 (15:52 +0100)]
pam: Make dovecot check the mailHost attribute.
Previously (in an uncommited pam.d/dovecot file), dovecot just used the
common-{auth,account}, which checked the "host" attribute. Now the
mailHost attribute is checked, so only people that have their email
delivered here can use IMAP.
Matthijs Kooijman [Mon, 8 Feb 2010 12:28:57 +0000 (13:28 +0100)]
dovecot: Enable plain authentication and non-TLS connections.
This saves encryption and issues with certificate verifcation when
connection from locally running webmail apps.
Matthijs Kooijman [Mon, 8 Feb 2010 11:13:37 +0000 (12:13 +0100)]
apt: Add lenny-backports (for dovecot).
Matthijs Kooijman [Wed, 13 Jan 2010 18:19:42 +0000 (19:19 +0100)]
Don't reject spam messages from a few trusted hosts.
Rejecting this messages would only cause those hosts to generate useless
delivery failures to innocent people. Instead, we just deliver these
messages...
Matthijs Kooijman [Wed, 13 Jan 2010 17:19:51 +0000 (18:19 +0100)]
exim: Don't log headers on rejection.
Matthijs Kooijman [Tue, 24 Nov 2009 21:04:01 +0000 (22:04 +0100)]
exim4: Add hekjelarp.nl domain.
Matthijs Kooijman [Fri, 9 Oct 2009 14:48:03 +0000 (16:48 +0200)]
nullmailer: remove configuration.
Nullmailer is not needed on this vserver, since exim handles email
directly.
Matthijs Kooijman [Wed, 3 Jun 2009 10:51:41 +0000 (12:51 +0200)]
exim4: Don't send delay warnings.
By default, Exim sends a warning to the sender of a message every 24h as
long is it couldn't be delivered. This isn't really useful to most
people, so we disable it.
Matthijs Kooijman [Wed, 3 Jun 2009 10:41:32 +0000 (12:41 +0200)]
exim: Keep mail for relay domains for 30 days.
This ensures we won't start throwing away mail after 4 days for the
domains we're a backup MX for.
Matthijs Kooijman [Thu, 28 May 2009 09:39:15 +0000 (11:39 +0200)]
exim: Put "Message too big" in X-Spam-Score.
Previously, the "Message too big, not scanned." message was put in the
X-Spam-Report header. Putting it in X-Spam-Score allows clients to see
the what and why of a spam score withouth downloading the (probably
larger) X-Spam-Report header.
Matthijs Kooijman [Sat, 9 May 2009 13:35:58 +0000 (15:35 +0200)]
exim: Accept mails without a valid sender in the headers.
A mail should still have a valid envelope from address, but we'll not
force mail to have a valid address in the headers. This is specifically
so mail from the inter-actief.lokaal domain can still be delivered.
root [Tue, 5 May 2009 16:20:22 +0000 (18:20 +0200)]
Merge commit 'origin/template' into mail
* commit 'origin/template':
rsyslog: Use another format for forwarding messages.
ssh: Disable changing of the oom_adj value.
ssh: Add default initscript configuration.
Matthijs Kooijman [Tue, 5 May 2009 16:09:52 +0000 (18:09 +0200)]
rsyslog: Use another format for forwarding messages.
The syslog protocol 23 format seems to be broken in rsyslog for messages
that were originally generated by legacy applications (i.e., do not have
a structured-data field).
See http://bugzilla.adiscon.com/show_bug.cgi?id=125
Matthijs Kooijman [Tue, 5 May 2009 15:07:10 +0000 (17:07 +0200)]
ssh: Disable changing of the oom_adj value.
This value is meant for making sure ssh is never killed by the oom
killer, but that is not allowed inside vservers.
Matthijs Kooijman [Tue, 5 May 2009 15:06:45 +0000 (17:06 +0200)]
ssh: Add default initscript configuration.
Matthijs Kooijman [Tue, 5 May 2009 14:43:13 +0000 (16:43 +0200)]
exim: Forward mail for logcheck to root.
Matthijs Kooijman [Tue, 5 May 2009 14:41:37 +0000 (16:41 +0200)]
exim: Add default /etc/aliases file.
Debconf has already filled in my username, so it's not completely
default. Also, the comments on top of the file were updated to reflect
the current exim configuration.
Matthijs Kooijman [Tue, 5 May 2009 14:29:56 +0000 (16:29 +0200)]
Merge commit 'origin/template' into mail
* commit 'origin/template':
rsyslog: Make the main queue disk-assisted as well.
rsyslog: Enable queuing of log messages.
nss: Add some comments.
rsyslog: Send all logs to the log vserver.
rsyslog: Move all rsyslog log files into a subdir.
rsyslog: Update logrotate config to new rsyslog config.
rsyslog: Add default logrotate config.
rsyslog: Disable logging of kernel messages.
rsyslog: Enable loggin of mark lines.
rsyslog: Clean up rsyslog configuration.
rsyslog: Add default configuration.
pam: Add pam_permit to the auth section of chfn.
nss: Update to use our custom LDAP schema.
apt: Set the Default-Release to "stable".
Conflicts:
etc/rsyslog.conf
Matthijs Kooijman [Tue, 5 May 2009 13:55:27 +0000 (15:55 +0200)]
rsyslog: Make the main queue disk-assisted as well.
Matthijs Kooijman [Tue, 5 May 2009 13:07:22 +0000 (15:07 +0200)]
rsyslog: Enable queuing of log messages.
This prevents messages from getting lost when the log vserver is
temporarily unavailable.
Matthijs Kooijman [Tue, 5 May 2009 09:17:28 +0000 (11:17 +0200)]
nss: Add some comments.
Matthijs Kooijman [Tue, 5 May 2009 08:52:30 +0000 (10:52 +0200)]
rsyslog: Send all logs to the log vserver.
This happens in addition to local logging.
Matthijs Kooijman [Tue, 5 May 2009 08:17:52 +0000 (10:17 +0200)]
rsyslog: Move all rsyslog log files into a subdir.
This allows us to use *.log in the logrotate configuration, without
conflicting with logfiles not created by rsyslog.
Matthijs Kooijman [Mon, 4 May 2009 20:41:06 +0000 (22:41 +0200)]
rsyslog: Update logrotate config to new rsyslog config.
Matthijs Kooijman [Mon, 4 May 2009 20:37:56 +0000 (22:37 +0200)]
rsyslog: Add default logrotate config.
Matthijs Kooijman [Mon, 4 May 2009 20:31:27 +0000 (22:31 +0200)]
rsyslog: Disable logging of kernel messages.
The vservers won't have access to the kernel messages anyway.
Matthijs Kooijman [Mon, 4 May 2009 20:26:54 +0000 (22:26 +0200)]
rsyslog: Enable loggin of mark lines.
Matthijs Kooijman [Mon, 4 May 2009 20:00:15 +0000 (22:00 +0200)]
rsyslog: Clean up rsyslog configuration.
This removes some commented out lines, and reorganizes the existing
logfiles to be more consistent.
Matthijs Kooijman [Mon, 4 May 2009 19:50:28 +0000 (21:50 +0200)]
rsyslog: Add default configuration.
Matthijs Kooijman [Mon, 4 May 2009 12:58:56 +0000 (14:58 +0200)]
exim: Don't do sender verification by callout.
Doing callouts puts extra resource pressure on the called server. Since
the sender address will be forged in a lot of cases anyway, this won't
really help us and can be used in a DDOS attack on some server. See
http://www.backscatterer.org/index.php?target=sendercallouts
Matthijs Kooijman [Thu, 30 Apr 2009 14:58:09 +0000 (16:58 +0200)]
exim: Relay mail for fizzgig.{eu,nl}.
Matthijs Kooijman [Thu, 30 Apr 2009 14:56:16 +0000 (16:56 +0200)]
exim4: Let exim know its external hostname.
This allows relaying to other domains (e.g., work as a backup MX) to
work, since exim knows defer mails instead of sending them to itself
again.
Matthijs Kooijman [Thu, 30 Apr 2009 07:15:51 +0000 (09:15 +0200)]
rsyslog: Add default configuration.
Matthijs Kooijman [Mon, 27 Apr 2009 14:16:38 +0000 (16:16 +0200)]
exim: Restructure the spam handling acls.
Previously, exim would have its own spam score threshold and expect
spamassassin to mark any messages as spam (even with negative score), so
spam headers could be added on non-rejected messages. Now, we use three
acl clauses instead of just one, allowing us to accept the judgment of
spamassassin again and add spam headers in a separate clause.
Matthijs Kooijman [Mon, 27 Apr 2009 14:15:49 +0000 (16:15 +0200)]
spamassassin: Mark messages as spam with score > 20.
Previously all messages would be marked and exim would set the
threshold, but this is about to change.
Matthijs Kooijman [Mon, 27 Apr 2009 14:01:53 +0000 (16:01 +0200)]
exim: Set the spamassassin profile to "spamd".
This should really matter, but setting it to "default" made spamd
complain about the user "default" not being found.
Matthijs Kooijman [Mon, 27 Apr 2009 13:56:34 +0000 (15:56 +0200)]
exim: Correct spam rejection threshold.
The score used to be compared with 20, but that really means spamscore
2.0. So we set it to 200 instead, for rejecting when the score is >20.
Matthijs Kooijman [Mon, 27 Apr 2009 13:55:06 +0000 (15:55 +0200)]
spamassassin: Run as user "spamd" instead of root.
When running as root, spamd will run as whatever user the client claims
to be, to read preferences. Since this is not-so-secure, we'll just run
as an unprivileged user to begin with (since we don't do per-user
privileges anyway).
Matthijs Kooijman [Sat, 25 Apr 2009 20:17:26 +0000 (22:17 +0200)]
exim: Add more email domains.
The list now includes all domains I process email for.
Matthijs Kooijman [Sat, 25 Apr 2009 19:51:00 +0000 (21:51 +0200)]
spamassassin: Set a custom spam report template.
The default template is long and wordy, and says the message is marked
as spam. In our configuration, all messages get the report, so that is
not very accurate.
Matthijs Kooijman [Sat, 25 Apr 2009 19:48:57 +0000 (21:48 +0200)]
exim: Add spamcheck ACL.
This ACL always adds spam headers to messages, and denies messages that
have a very high (>20) spamscore.
Matthijs Kooijman [Sat, 25 Apr 2009 16:33:47 +0000 (18:33 +0200)]
spamassassin: Set the threshold really low (-100.0).
Exim will has its own spamscore threshold, but only adds spam headers on
messages that are spam according to spamassasin. So we set the threshold
really low here.
Matthijs Kooijman [Sat, 25 Apr 2009 16:33:19 +0000 (18:33 +0200)]
spamassassin: Mark a bunch of hosts as internal.
Matthijs Kooijman [Sat, 25 Apr 2009 16:32:52 +0000 (18:32 +0200)]
spamassassin: Remove default (commented) configuration.
Matthijs Kooijman [Sat, 25 Apr 2009 16:18:02 +0000 (18:18 +0200)]
spamassassin: Enable nightly updates through cron.
Matthijs Kooijman [Sat, 25 Apr 2009 16:17:47 +0000 (18:17 +0200)]
spamassassin: Enable.
Matthijs Kooijman [Sat, 25 Apr 2009 16:16:39 +0000 (18:16 +0200)]
spamassassin: Add default configuration.
Matthijs Kooijman [Sat, 25 Apr 2009 15:53:05 +0000 (17:53 +0200)]
exim: Add vim modelines to all config files.
Matthijs Kooijman [Fri, 17 Apr 2009 13:15:44 +0000 (15:15 +0200)]
system: Set hostname and mailname
Matthijs Kooijman [Wed, 15 Apr 2009 17:43:11 +0000 (19:43 +0200)]
exim4: Use dovecot for delivery only.
This removes all previous delivery methods (.forward files, procmail and
direct Maildir delivery) in favour of using dovecot's deliver program.
Dovecot supports forwarding and filtering use sieve scripts and knows
exactly where a user's mailbox should be, so this does not remove
functionality but prevents duplicate configuration.
Matthijs Kooijman [Wed, 15 Apr 2009 17:41:49 +0000 (19:41 +0200)]
dovecot: Customize the configuration.
This enables dovecot for imaps and email delivery, using sieve for
filtering, pam and nss for authnz and enabling virtual mailboxes.
Matthijs Kooijman [Tue, 14 Apr 2009 10:05:44 +0000 (12:05 +0200)]
exim: Fix domainlist references by prepending a +.
All mail delivery was broken, since the local_domains domainlist was not
properly set.
Matthijs Kooijman [Mon, 13 Apr 2009 16:00:00 +0000 (18:00 +0200)]
dovecot: Add default configuration.
Matthijs Kooijman [Mon, 13 Apr 2009 15:48:38 +0000 (17:48 +0200)]
pam: Add pam_permit to the auth section of chfn.
The chfn command did not work before, since it checks account as well as
auth.
Matthijs Kooijman [Mon, 13 Apr 2009 15:22:39 +0000 (17:22 +0200)]
nss: Update to use our custom LDAP schema.
This uses the uniqueMember attribute containing dns instead of the
memberUid attribute containing usernames for forming groups.
Additionally, it tells nss-ldap about our replacement for the posixGroup
objectClass.
Matthijs Kooijman [Mon, 13 Apr 2009 15:21:33 +0000 (17:21 +0200)]
apt: Set the Default-Release to "stable".
Matthijs Kooijman [Wed, 8 Apr 2009 17:41:28 +0000 (19:41 +0200)]
exim: Completely review the exim configuration.
This commit mostly removes the fancy Debian debconf automatic stuff,
since that creates a lot of overhead with macros being defined in one
place and the actual configuration in another place. Other unused parts
of the configuration are also unused.
Configuration is added for the main delivery lookups to happen from
ldap data. Both persons and groups in the LDAP directory can have email
addresses defined, which will then get forwarded or delivered
appropriately (for emailaddresses in the virtual_domains setting, of
course). Email will also be delivered for any username@host addresses,
where host is one of the drsnuggles vservers.
Matthijs Kooijman [Mon, 30 Mar 2009 07:38:57 +0000 (09:38 +0200)]
exim: Add initial configuration.
This configuration is generated by debconf by question answering.
Matthijs Kooijman [Tue, 30 Dec 2008 23:00:45 +0000 (00:00 +0100)]
pam: Let pam.d/cron include common-account.
The changes to common-account make the custom account section of
pam.d/cron unneeded.
Matthijs Kooijman [Tue, 30 Dec 2008 22:58:24 +0000 (23:58 +0100)]
pam: Let pam.d/su include common{account,session}.
Since pam.d/other was removed, su was missing the account and session
entries and failed.
Matthijs Kooijman [Tue, 30 Dec 2008 22:56:17 +0000 (23:56 +0100)]
pam: Make common-account also support unix users.
This makes sure that common-account supports both unix users (from
passwd) and ldap users. A lot of services don't do real (password)
authentication, but do need to work for both ldap and unix users (cron,
su).
common-auth still only works for ldap users, since those are the only
ones with actual passwords.
Matthijs Kooijman [Tue, 30 Dec 2008 22:51:27 +0000 (23:51 +0100)]
pam: Add .so to module names in pam.d/other.
Matthijs Kooijman [Tue, 30 Dec 2008 16:04:28 +0000 (17:04 +0100)]
pam: Deny everything in pam.d/other.
Matthijs Kooijman [Tue, 30 Dec 2008 16:01:26 +0000 (17:01 +0100)]
pam: Add default pam.d/other file.
Matthijs Kooijman [Tue, 30 Dec 2008 15:50:45 +0000 (16:50 +0100)]
pam: Fix pam configuration for cron.
This allows non-ldap users (say, root) to use cron.
Matthijs Kooijman [Tue, 30 Dec 2008 10:38:15 +0000 (11:38 +0100)]
pam: Don't allow console logins.
We don't have a console on a vserver anyway...
Matthijs Kooijman [Tue, 30 Dec 2008 10:36:39 +0000 (11:36 +0100)]
pam: Allow only root to change shells and user info.
Since changing user info and shells for ldap users is not supported by
chfn and chsh anyway, and we have no real users that are not in ldap,
limiting this to just root makes sense.
Matthijs Kooijman [Tue, 30 Dec 2008 10:24:58 +0000 (11:24 +0100)]
pam: Add default pamd.d/{chfn,chsh,cron,login} files.
Matthijs Kooijman [Mon, 29 Dec 2008 19:03:51 +0000 (20:03 +0100)]
pam: Remove all but one line from pam.d/su.
The session modules seem useless, and the common files only include ldap
and don't know about root, so that only gives warnings when root is
trying to su.
This makes it impossible for non-root users to use su, but that's a
feature.
Matthijs Kooijman [Mon, 29 Dec 2008 19:03:15 +0000 (20:03 +0100)]
pam: Add default pam.d/su file.
Matthijs Kooijman [Thu, 9 Oct 2008 20:20:13 +0000 (22:20 +0200)]
system: Set the timezone to Europe/Amsterdam.
Matthijs Kooijman [Thu, 9 Oct 2008 15:46:18 +0000 (15:46 +0000)]
apt: Move local repository from ~matthijs to /data.
Matthijs Kooijman [Thu, 9 Oct 2008 13:15:34 +0000 (13:15 +0000)]
bash: Include bash.bashrc from /etc/profile.
Matthijs Kooijman [Thu, 9 Oct 2008 13:14:52 +0000 (13:14 +0000)]
system: Add resolv.conf, pointing to the DNS vserver.
root [Tue, 30 Sep 2008 14:49:56 +0000 (14:49 +0000)]
bash: Add default global profile script.
root [Tue, 30 Sep 2008 14:33:29 +0000 (14:33 +0000)]
bash: Enable extended completion.
root [Tue, 30 Sep 2008 14:32:51 +0000 (14:32 +0000)]
bash: Add initial bashrc.
root [Fri, 26 Sep 2008 10:16:05 +0000 (10:16 +0000)]
nss: Don't use mdns for name resolution.
This change was automatically made by removing avahi-daemon.
root [Fri, 26 Sep 2008 10:15:05 +0000 (10:15 +0000)]
nullmailer: Add configuration.
root [Thu, 25 Sep 2008 15:36:02 +0000 (15:36 +0000)]
pam: Enable LDAP host attribute checking.
root [Thu, 25 Sep 2008 15:30:51 +0000 (15:30 +0000)]
pam: Only use LDAP for auth and account, remove unix authentication.
root [Thu, 25 Sep 2008 12:19:43 +0000 (12:19 +0000)]
pam: Simplify configuration.
root [Thu, 25 Sep 2008 10:24:14 +0000 (10:24 +0000)]
pam: Use LDAP for authentication.
root [Thu, 25 Sep 2008 10:23:45 +0000 (10:23 +0000)]
nss: Use LDAP for passwd and group.
root [Thu, 25 Sep 2008 07:48:37 +0000 (07:48 +0000)]
pam: Add default pam common- files.
root [Thu, 21 Aug 2008 16:04:27 +0000 (16:04 +0000)]
Add local debian repository.
root [Thu, 21 Aug 2008 15:45:24 +0000 (15:45 +0000)]
Import initial sources.list.