matthijs/servers/drsnuggles.git
14 years agodovecot: Make ~/Mail/Folders the IMAP root.
root [Wed, 17 Mar 2010 14:05:28 +0000 (15:05 +0100)]
dovecot: Make ~/Mail/Folders the IMAP root.

This ensures that the virtual mailboxes don't show up twice and stuff like
the sieve directory isn't accidentally listed.

14 years agodovecot: Use a real certificate.
Matthijs Kooijman [Thu, 25 Feb 2010 13:37:31 +0000 (14:37 +0100)]
dovecot: Use a real certificate.

Previously, a auto-generated self-signed certificate was used.

14 years agopam: Make dovecot check the mailHost attribute.
Matthijs Kooijman [Mon, 8 Feb 2010 14:52:04 +0000 (15:52 +0100)]
pam: Make dovecot check the mailHost attribute.

Previously (in an uncommited pam.d/dovecot file), dovecot just used the
common-{auth,account}, which checked the "host" attribute. Now the
mailHost attribute is checked, so only people that have their email
delivered here can use IMAP.

14 years agodovecot: Enable plain authentication and non-TLS connections.
Matthijs Kooijman [Mon, 8 Feb 2010 12:28:57 +0000 (13:28 +0100)]
dovecot: Enable plain authentication and non-TLS connections.

This saves encryption and issues with certificate verifcation when
connection from locally running webmail apps.

14 years agoapt: Add lenny-backports (for dovecot).
Matthijs Kooijman [Mon, 8 Feb 2010 11:13:37 +0000 (12:13 +0100)]
apt: Add lenny-backports (for dovecot).

14 years agoDon't reject spam messages from a few trusted hosts.
Matthijs Kooijman [Wed, 13 Jan 2010 18:19:42 +0000 (19:19 +0100)]
Don't reject spam messages from a few trusted hosts.

Rejecting this messages would only cause those hosts to generate useless
delivery failures to innocent people. Instead, we just deliver these
messages...

14 years agoexim: Don't log headers on rejection.
Matthijs Kooijman [Wed, 13 Jan 2010 17:19:51 +0000 (18:19 +0100)]
exim: Don't log headers on rejection.

15 years agoexim4: Add hekjelarp.nl domain.
Matthijs Kooijman [Tue, 24 Nov 2009 21:04:01 +0000 (22:04 +0100)]
exim4: Add hekjelarp.nl domain.

15 years agonullmailer: remove configuration.
Matthijs Kooijman [Fri, 9 Oct 2009 14:48:03 +0000 (16:48 +0200)]
nullmailer: remove configuration.

Nullmailer is not needed on this vserver, since exim handles email
directly.

15 years agoexim4: Don't send delay warnings.
Matthijs Kooijman [Wed, 3 Jun 2009 10:51:41 +0000 (12:51 +0200)]
exim4: Don't send delay warnings.

By default, Exim sends a warning to the sender of a message every 24h as
long is it couldn't be delivered. This isn't really useful to most
people, so we disable it.

15 years agoexim: Keep mail for relay domains for 30 days.
Matthijs Kooijman [Wed, 3 Jun 2009 10:41:32 +0000 (12:41 +0200)]
exim: Keep mail for relay domains for 30 days.

This ensures we won't start throwing away mail after 4 days for the
domains we're a backup MX for.

15 years agoexim: Put "Message too big" in X-Spam-Score.
Matthijs Kooijman [Thu, 28 May 2009 09:39:15 +0000 (11:39 +0200)]
exim: Put "Message too big" in X-Spam-Score.

Previously, the "Message too big, not scanned." message was put in the
X-Spam-Report header. Putting it in X-Spam-Score allows clients to see
the what and why of a spam score withouth downloading the (probably
larger) X-Spam-Report header.

15 years agoexim: Accept mails without a valid sender in the headers.
Matthijs Kooijman [Sat, 9 May 2009 13:35:58 +0000 (15:35 +0200)]
exim: Accept mails without a valid sender in the headers.

A mail should still have a valid envelope from address, but we'll not
force mail to have a valid address in the headers. This is specifically
so mail from the inter-actief.lokaal domain can still be delivered.

15 years agoMerge commit 'origin/template' into mail
root [Tue, 5 May 2009 16:20:22 +0000 (18:20 +0200)]
Merge commit 'origin/template' into mail

* commit 'origin/template':
  rsyslog: Use another format for forwarding messages.
  ssh: Disable changing of the oom_adj value.
  ssh: Add default initscript configuration.

15 years agorsyslog: Use another format for forwarding messages. samba
Matthijs Kooijman [Tue, 5 May 2009 16:09:52 +0000 (18:09 +0200)]
rsyslog: Use another format for forwarding messages.

The syslog protocol 23 format seems to be broken in rsyslog for messages
that were originally generated by legacy applications (i.e., do not have
a structured-data field).

See http://bugzilla.adiscon.com/show_bug.cgi?id=125

15 years agossh: Disable changing of the oom_adj value.
Matthijs Kooijman [Tue, 5 May 2009 15:07:10 +0000 (17:07 +0200)]
ssh: Disable changing of the oom_adj value.

This value is meant for making sure ssh is never killed by the oom
killer, but that is not allowed inside vservers.

15 years agossh: Add default initscript configuration.
Matthijs Kooijman [Tue, 5 May 2009 15:06:45 +0000 (17:06 +0200)]
ssh: Add default initscript configuration.

15 years agoexim: Forward mail for logcheck to root.
Matthijs Kooijman [Tue, 5 May 2009 14:43:13 +0000 (16:43 +0200)]
exim: Forward mail for logcheck to root.

15 years agoexim: Add default /etc/aliases file.
Matthijs Kooijman [Tue, 5 May 2009 14:41:37 +0000 (16:41 +0200)]
exim: Add default /etc/aliases file.

Debconf has already filled in my username, so it's not completely
default. Also, the comments on top of the file were updated to reflect
the current exim configuration.

15 years agoMerge commit 'origin/template' into mail
Matthijs Kooijman [Tue, 5 May 2009 14:29:56 +0000 (16:29 +0200)]
Merge commit 'origin/template' into mail

* commit 'origin/template':
  rsyslog: Make the main queue disk-assisted as well.
  rsyslog: Enable queuing of log messages.
  nss: Add some comments.
  rsyslog: Send all logs to the log vserver.
  rsyslog: Move all rsyslog log files into a subdir.
  rsyslog: Update logrotate config to new rsyslog config.
  rsyslog: Add default logrotate config.
  rsyslog: Disable logging of kernel messages.
  rsyslog: Enable loggin of mark lines.
  rsyslog: Clean up rsyslog configuration.
  rsyslog: Add default configuration.
  pam: Add pam_permit to the auth section of chfn.
  nss: Update to use our custom LDAP schema.
  apt: Set the Default-Release to "stable".

Conflicts:

etc/rsyslog.conf

15 years agorsyslog: Make the main queue disk-assisted as well.
Matthijs Kooijman [Tue, 5 May 2009 13:55:27 +0000 (15:55 +0200)]
rsyslog: Make the main queue disk-assisted as well.

15 years agorsyslog: Enable queuing of log messages.
Matthijs Kooijman [Tue, 5 May 2009 13:07:22 +0000 (15:07 +0200)]
rsyslog: Enable queuing of log messages.

This prevents messages from getting lost when the log vserver is
temporarily unavailable.

15 years agonss: Add some comments.
Matthijs Kooijman [Tue, 5 May 2009 09:17:28 +0000 (11:17 +0200)]
nss: Add some comments.

15 years agorsyslog: Send all logs to the log vserver.
Matthijs Kooijman [Tue, 5 May 2009 08:52:30 +0000 (10:52 +0200)]
rsyslog: Send all logs to the log vserver.

This happens in addition to local logging.

15 years agorsyslog: Move all rsyslog log files into a subdir.
Matthijs Kooijman [Tue, 5 May 2009 08:17:52 +0000 (10:17 +0200)]
rsyslog: Move all rsyslog log files into a subdir.

This allows us to use *.log in the logrotate configuration, without
conflicting with logfiles not created by rsyslog.

15 years agorsyslog: Update logrotate config to new rsyslog config.
Matthijs Kooijman [Mon, 4 May 2009 20:41:06 +0000 (22:41 +0200)]
rsyslog: Update logrotate config to new rsyslog config.

15 years agorsyslog: Add default logrotate config.
Matthijs Kooijman [Mon, 4 May 2009 20:37:56 +0000 (22:37 +0200)]
rsyslog: Add default logrotate config.

15 years agorsyslog: Disable logging of kernel messages.
Matthijs Kooijman [Mon, 4 May 2009 20:31:27 +0000 (22:31 +0200)]
rsyslog: Disable logging of kernel messages.

The vservers won't have access to the kernel messages anyway.

15 years agorsyslog: Enable loggin of mark lines.
Matthijs Kooijman [Mon, 4 May 2009 20:26:54 +0000 (22:26 +0200)]
rsyslog: Enable loggin of mark lines.

15 years agorsyslog: Clean up rsyslog configuration.
Matthijs Kooijman [Mon, 4 May 2009 20:00:15 +0000 (22:00 +0200)]
rsyslog: Clean up rsyslog configuration.

This removes some commented out lines, and reorganizes the existing
logfiles to be more consistent.

15 years agorsyslog: Add default configuration.
Matthijs Kooijman [Mon, 4 May 2009 19:50:28 +0000 (21:50 +0200)]
rsyslog: Add default configuration.

15 years agoexim: Don't do sender verification by callout.
Matthijs Kooijman [Mon, 4 May 2009 12:58:56 +0000 (14:58 +0200)]
exim: Don't do sender verification by callout.

Doing callouts puts extra resource pressure on the called server. Since
the sender address will be forged in a lot of cases anyway, this won't
really help us and can be used in a DDOS attack on some server. See
http://www.backscatterer.org/index.php?target=sendercallouts

15 years agoexim: Relay mail for fizzgig.{eu,nl}.
Matthijs Kooijman [Thu, 30 Apr 2009 14:58:09 +0000 (16:58 +0200)]
exim: Relay mail for fizzgig.{eu,nl}.

15 years agoexim4: Let exim know its external hostname.
Matthijs Kooijman [Thu, 30 Apr 2009 14:56:16 +0000 (16:56 +0200)]
exim4: Let exim know its external hostname.

This allows relaying to other domains (e.g., work as a backup MX) to
work, since exim knows defer mails instead of sending them to itself
again.

15 years agorsyslog: Add default configuration.
Matthijs Kooijman [Thu, 30 Apr 2009 07:15:51 +0000 (09:15 +0200)]
rsyslog: Add default configuration.

15 years agoexim: Restructure the spam handling acls.
Matthijs Kooijman [Mon, 27 Apr 2009 14:16:38 +0000 (16:16 +0200)]
exim: Restructure the spam handling acls.

Previously, exim would have its own spam score threshold and expect
spamassassin to mark any messages as spam (even with negative score), so
spam headers could be added on non-rejected messages. Now, we use three
acl clauses instead of just one, allowing us to accept the judgment of
spamassassin again and add spam headers in a separate clause.

15 years agospamassassin: Mark messages as spam with score > 20.
Matthijs Kooijman [Mon, 27 Apr 2009 14:15:49 +0000 (16:15 +0200)]
spamassassin: Mark messages as spam with score > 20.

Previously all messages would be marked and exim would set the
threshold, but this is about to change.

15 years agoexim: Set the spamassassin profile to "spamd".
Matthijs Kooijman [Mon, 27 Apr 2009 14:01:53 +0000 (16:01 +0200)]
exim: Set the spamassassin profile to "spamd".

This should really matter, but setting it to "default" made spamd
complain about the user "default" not being found.

15 years agoexim: Correct spam rejection threshold.
Matthijs Kooijman [Mon, 27 Apr 2009 13:56:34 +0000 (15:56 +0200)]
exim: Correct spam rejection threshold.

The score used to be compared with 20, but that really means spamscore
2.0. So we set it to 200 instead, for rejecting when the score is >20.

15 years agospamassassin: Run as user "spamd" instead of root.
Matthijs Kooijman [Mon, 27 Apr 2009 13:55:06 +0000 (15:55 +0200)]
spamassassin: Run as user "spamd" instead of root.

When running as root, spamd will run as whatever user the client claims
to be, to read preferences. Since this is not-so-secure, we'll just run
as an unprivileged user to begin with (since we don't do per-user
privileges anyway).

15 years agoexim: Add more email domains.
Matthijs Kooijman [Sat, 25 Apr 2009 20:17:26 +0000 (22:17 +0200)]
exim: Add more email domains.

The list now includes all domains I process email for.

15 years agospamassassin: Set a custom spam report template.
Matthijs Kooijman [Sat, 25 Apr 2009 19:51:00 +0000 (21:51 +0200)]
spamassassin: Set a custom spam report template.

The default template is long and wordy, and says the message is marked
as spam. In our configuration, all messages get the report, so that is
not very accurate.

15 years agoexim: Add spamcheck ACL.
Matthijs Kooijman [Sat, 25 Apr 2009 19:48:57 +0000 (21:48 +0200)]
exim: Add spamcheck ACL.

This ACL always adds spam headers to messages, and denies messages that
have a very high (>20) spamscore.

15 years agospamassassin: Set the threshold really low (-100.0).
Matthijs Kooijman [Sat, 25 Apr 2009 16:33:47 +0000 (18:33 +0200)]
spamassassin: Set the threshold really low (-100.0).

Exim will has its own spamscore threshold, but only adds spam headers on
messages that are spam according to spamassasin. So we set the threshold
really low here.

15 years agospamassassin: Mark a bunch of hosts as internal.
Matthijs Kooijman [Sat, 25 Apr 2009 16:33:19 +0000 (18:33 +0200)]
spamassassin: Mark a bunch of hosts as internal.

15 years agospamassassin: Remove default (commented) configuration.
Matthijs Kooijman [Sat, 25 Apr 2009 16:32:52 +0000 (18:32 +0200)]
spamassassin: Remove default (commented) configuration.

15 years agospamassassin: Enable nightly updates through cron.
Matthijs Kooijman [Sat, 25 Apr 2009 16:18:02 +0000 (18:18 +0200)]
spamassassin: Enable nightly updates through cron.

15 years agospamassassin: Enable.
Matthijs Kooijman [Sat, 25 Apr 2009 16:17:47 +0000 (18:17 +0200)]
spamassassin: Enable.

15 years agospamassassin: Add default configuration.
Matthijs Kooijman [Sat, 25 Apr 2009 16:16:39 +0000 (18:16 +0200)]
spamassassin: Add default configuration.

15 years agoexim: Add vim modelines to all config files.
Matthijs Kooijman [Sat, 25 Apr 2009 15:53:05 +0000 (17:53 +0200)]
exim: Add vim modelines to all config files.

15 years agosystem: Set hostname and mailname
Matthijs Kooijman [Fri, 17 Apr 2009 13:15:44 +0000 (15:15 +0200)]
system: Set hostname and mailname

15 years agoexim4: Use dovecot for delivery only.
Matthijs Kooijman [Wed, 15 Apr 2009 17:43:11 +0000 (19:43 +0200)]
exim4: Use dovecot for delivery only.

This removes all previous delivery methods (.forward files, procmail and
direct Maildir delivery) in favour of using dovecot's deliver program.
Dovecot supports forwarding and filtering use sieve scripts and knows
exactly where a user's mailbox should be, so this does not remove
functionality but prevents duplicate configuration.

15 years agodovecot: Customize the configuration.
Matthijs Kooijman [Wed, 15 Apr 2009 17:41:49 +0000 (19:41 +0200)]
dovecot: Customize the configuration.

This enables dovecot for imaps and email delivery, using sieve for
filtering, pam and nss for authnz and enabling virtual mailboxes.

15 years agoexim: Fix domainlist references by prepending a +.
Matthijs Kooijman [Tue, 14 Apr 2009 10:05:44 +0000 (12:05 +0200)]
exim: Fix domainlist references by prepending a +.

All mail delivery was broken, since the local_domains domainlist was not
properly set.

15 years agodovecot: Add default configuration.
Matthijs Kooijman [Mon, 13 Apr 2009 16:00:00 +0000 (18:00 +0200)]
dovecot: Add default configuration.

15 years agopam: Add pam_permit to the auth section of chfn.
Matthijs Kooijman [Mon, 13 Apr 2009 15:48:38 +0000 (17:48 +0200)]
pam: Add pam_permit to the auth section of chfn.

The chfn command did not work before, since it checks account as well as
auth.

15 years agonss: Update to use our custom LDAP schema.
Matthijs Kooijman [Mon, 13 Apr 2009 15:22:39 +0000 (17:22 +0200)]
nss: Update to use our custom LDAP schema.

This uses the uniqueMember attribute containing dns instead of the
memberUid attribute containing usernames for forming groups.
Additionally, it tells nss-ldap about our replacement for the posixGroup
objectClass.

15 years agoapt: Set the Default-Release to "stable".
Matthijs Kooijman [Mon, 13 Apr 2009 15:21:33 +0000 (17:21 +0200)]
apt: Set the Default-Release to "stable".

15 years agoexim: Completely review the exim configuration.
Matthijs Kooijman [Wed, 8 Apr 2009 17:41:28 +0000 (19:41 +0200)]
exim: Completely review the exim configuration.

This commit mostly removes the fancy Debian debconf automatic stuff,
since that creates a lot of overhead with macros being defined in one
place and the actual configuration in another place. Other unused parts
of the configuration are also unused.

Configuration is added for the main delivery lookups to happen from
ldap data. Both persons and groups in the LDAP directory can have email
addresses defined, which will then get forwarded or delivered
appropriately (for emailaddresses in the virtual_domains setting, of
course). Email will also be delivered for any username@host addresses,
where host is one of the drsnuggles vservers.

15 years agoexim: Add initial configuration.
Matthijs Kooijman [Mon, 30 Mar 2009 07:38:57 +0000 (09:38 +0200)]
exim: Add initial configuration.

This configuration is generated by debconf by question answering.

15 years agopam: Let pam.d/cron include common-account.
Matthijs Kooijman [Tue, 30 Dec 2008 23:00:45 +0000 (00:00 +0100)]
pam: Let pam.d/cron include common-account.

The changes to common-account make the custom account section of
pam.d/cron unneeded.

15 years agopam: Let pam.d/su include common{account,session}.
Matthijs Kooijman [Tue, 30 Dec 2008 22:58:24 +0000 (23:58 +0100)]
pam: Let pam.d/su include common{account,session}.

Since pam.d/other was removed, su was missing the account and session
entries and failed.

15 years agopam: Make common-account also support unix users.
Matthijs Kooijman [Tue, 30 Dec 2008 22:56:17 +0000 (23:56 +0100)]
pam: Make common-account also support unix users.

This makes sure that common-account supports both unix users (from
passwd) and ldap users. A lot of services don't do real (password)
authentication, but do need to work for both ldap and unix users (cron,
su).

common-auth still only works for ldap users, since those are the only
ones with actual passwords.

15 years agopam: Add .so to module names in pam.d/other.
Matthijs Kooijman [Tue, 30 Dec 2008 22:51:27 +0000 (23:51 +0100)]
pam: Add .so to module names in pam.d/other.

15 years agopam: Deny everything in pam.d/other.
Matthijs Kooijman [Tue, 30 Dec 2008 16:04:28 +0000 (17:04 +0100)]
pam: Deny everything in pam.d/other.

15 years agopam: Add default pam.d/other file.
Matthijs Kooijman [Tue, 30 Dec 2008 16:01:26 +0000 (17:01 +0100)]
pam: Add default pam.d/other file.

15 years agopam: Fix pam configuration for cron.
Matthijs Kooijman [Tue, 30 Dec 2008 15:50:45 +0000 (16:50 +0100)]
pam: Fix pam configuration for cron.

This allows non-ldap users (say, root) to use cron.

15 years agopam: Don't allow console logins.
Matthijs Kooijman [Tue, 30 Dec 2008 10:38:15 +0000 (11:38 +0100)]
pam: Don't allow console logins.

We don't have a console on a vserver anyway...

15 years agopam: Allow only root to change shells and user info.
Matthijs Kooijman [Tue, 30 Dec 2008 10:36:39 +0000 (11:36 +0100)]
pam: Allow only root to change shells and user info.

Since changing user info and shells for ldap users is not supported by
chfn and chsh anyway, and we have no real users that are not in ldap,
limiting this to just root makes sense.

15 years agopam: Add default pamd.d/{chfn,chsh,cron,login} files.
Matthijs Kooijman [Tue, 30 Dec 2008 10:24:58 +0000 (11:24 +0100)]
pam: Add default pamd.d/{chfn,chsh,cron,login} files.

15 years agopam: Remove all but one line from pam.d/su.
Matthijs Kooijman [Mon, 29 Dec 2008 19:03:51 +0000 (20:03 +0100)]
pam: Remove all but one line from pam.d/su.

The session modules seem useless, and the common files only include ldap
and don't know about root, so that only gives warnings when root is
trying to su.

This makes it impossible for non-root users to use su, but that's a
feature.

15 years agopam: Add default pam.d/su file.
Matthijs Kooijman [Mon, 29 Dec 2008 19:03:15 +0000 (20:03 +0100)]
pam: Add default pam.d/su file.

16 years agosystem: Set the timezone to Europe/Amsterdam.
Matthijs Kooijman [Thu, 9 Oct 2008 20:20:13 +0000 (22:20 +0200)]
system: Set the timezone to Europe/Amsterdam.

16 years agoapt: Move local repository from ~matthijs to /data.
Matthijs Kooijman [Thu, 9 Oct 2008 15:46:18 +0000 (15:46 +0000)]
apt: Move local repository from ~matthijs to /data.

16 years agobash: Include bash.bashrc from /etc/profile.
Matthijs Kooijman [Thu, 9 Oct 2008 13:15:34 +0000 (13:15 +0000)]
bash: Include bash.bashrc from /etc/profile.

16 years agosystem: Add resolv.conf, pointing to the DNS vserver.
Matthijs Kooijman [Thu, 9 Oct 2008 13:14:52 +0000 (13:14 +0000)]
system: Add resolv.conf, pointing to the DNS vserver.

16 years agobash: Add default global profile script.
root [Tue, 30 Sep 2008 14:49:56 +0000 (14:49 +0000)]
bash: Add default global profile script.

16 years agobash: Enable extended completion.
root [Tue, 30 Sep 2008 14:33:29 +0000 (14:33 +0000)]
bash: Enable extended completion.

16 years agobash: Add initial bashrc.
root [Tue, 30 Sep 2008 14:32:51 +0000 (14:32 +0000)]
bash: Add initial bashrc.

16 years agonss: Don't use mdns for name resolution.
root [Fri, 26 Sep 2008 10:16:05 +0000 (10:16 +0000)]
nss: Don't use mdns for name resolution.

This change was automatically made by removing avahi-daemon.

16 years agonullmailer: Add configuration.
root [Fri, 26 Sep 2008 10:15:05 +0000 (10:15 +0000)]
nullmailer: Add configuration.

16 years agopam: Enable LDAP host attribute checking.
root [Thu, 25 Sep 2008 15:36:02 +0000 (15:36 +0000)]
pam: Enable LDAP host attribute checking.

16 years agopam: Only use LDAP for auth and account, remove unix authentication.
root [Thu, 25 Sep 2008 15:30:51 +0000 (15:30 +0000)]
pam: Only use LDAP for auth and account, remove unix authentication.

16 years agopam: Simplify configuration.
root [Thu, 25 Sep 2008 12:19:43 +0000 (12:19 +0000)]
pam: Simplify configuration.

16 years agopam: Use LDAP for authentication.
root [Thu, 25 Sep 2008 10:24:14 +0000 (10:24 +0000)]
pam: Use LDAP for authentication.

16 years agonss: Use LDAP for passwd and group.
root [Thu, 25 Sep 2008 10:23:45 +0000 (10:23 +0000)]
nss: Use LDAP for passwd and group.

16 years agopam: Add default pam common- files.
root [Thu, 25 Sep 2008 07:48:37 +0000 (07:48 +0000)]
pam: Add default pam common- files.

16 years agoAdd local debian repository.
root [Thu, 21 Aug 2008 16:04:27 +0000 (16:04 +0000)]
Add local debian repository.

16 years agoImport initial sources.list.
root [Thu, 21 Aug 2008 15:45:24 +0000 (15:45 +0000)]
Import initial sources.list.