Mike Ashley
0eb4cda07a
Update mailserver role for rmilter change
The rmilter package changed the name of its listener service similar to
what was done for rspamd (see commit 2dbc976b ).
8 gadus atpakaļ
Tomas Bedrich
2dbc976b99
Updated rspamd service name
8 gadus atpakaļ
Mike Ashley
166c57f045
Use submission port for client outgoing email
Currently client email is submitted via ssmtp (port 465). This has been
deprecated for years. The correct way to submit email is via
submission (port 587).
This patch adds port 587 as a second and the default way of submitting
email for delivery. Port 465 remains open for backwards compatibility
with existing clients.
8 gadus atpakaļ
Allen Riddell
ca6eb2d85b
Add mailserver default vars to role
8 gadus atpakaļ
Mike Ashley
3d68705341
Add leading 0 to octal file permissions
This is done to suppress warnings from ansible-lint.
8 gadus atpakaļ
Carl Meyer
619eac6534
Adjust comment for clarity.
8 gadus atpakaļ
Carl Meyer
d46a9c47ef
Idempotency/changed-reporting fixes for OpenDMARC tasks.
8 gadus atpakaļ
Carl Meyer
7e817bfae6
Encrypt Postgres passwords, and fix change-reporting.
8 gadus atpakaļ
Carl Meyer
e8796ecd28
Idempotent and independent post-certificate-renewal tasks.
8 gadus atpakaļ
Laurent Arnoud
d56f0bd7ef
Use https for rpsamd key and repository
8 gadus atpakaļ
Carl Meyer
1a3d01f311
Complete rmilter/rspamd setup.
8 gadus atpakaļ
Carl Meyer
d46fb1521b
Make OpenDMARC cron job email root only on error.
8 gadus atpakaļ
Carl Meyer
57982401a9
Pass {auth_type} to milters, fixing OpenDKIM signing of authenticated SMTP messages.
8 gadus atpakaļ
Mike Ashley
8f1b6a9ed8
Arrange for services to restart on cert renewal
9 gadus atpakaļ
Mike Ashley
beaceafbd1
Update mailserver role to use LE certificate
9 gadus atpakaļ
Mike Ashley
4c830e1b07
Override opendmarc defaults
This patch restores sovereign's configuration of opendmarc.
8 gadus atpakaļ
Mike Ashley
1bc60827ef
Revert opendmarc to use mysql
An earlier commit started transitioning opendmarc to use postgres, but
this was incomplete. This patch reverts that change and uses mysql for
the reporting database.
Other changes:
* Do not maintain a copy of the database import schema. A copy is
included in the distribution in /usr/share/doc, so that is used
instead.
* The configuration file is replaced with the distribution's sample
configuration. A second patch will restore the actual configuration.
This will make the changes easier to see if the default configuraton
file changes in future versions of opendmarc.
8 gadus atpakaļ
Mike Ashley
195d8811fc
Remove references to Trusty and Wheezy
Make a clean distinction between Debian 7 and Debian 8. Anticipate the
next Ubuntu LTS release (Xenial) that is planned for support.
8 gadus atpakaļ
Mike Ashley
b8f030eb48
Merge tomcat changes to default configuration
Take changes to the tomcat6 default configuration and apply to tomcat7
configuration. This was done by review of the diff between sovereign's
tomcat6 configuration and the default tomcat7 configuration.
8 gadus atpakaļ
Mike Ashley
ae6d97a4b6
Match tomcat version to solr
The package solr installs and uses tomcat7. Installing tomcat8 appears
to be a mistake for Debian Jessie.
8 gadus atpakaļ
Mike Ashley
d3abc02f84
Clean up Apache SSL configuration
Avoid using the Include directive. Move most of the SSL configuration
to the global configuration and leave enabling the SSL engine to each
virtual host that wants to use it.
8 gadus atpakaļ
Carl Meyer
3265e77865
Update rspamd repository to the official one.
8 gadus atpakaļ
Sebastian Kriems
fe536873b7
ufw tasks shall have the ufw tag
resolves #453
Conflicts:
roles/common/tasks/ufw.yml
9 gadus atpakaļ
Sven Neuhaus
d59c5eff05
Generate 2048 DH group and add it to Postfix
9 gadus atpakaļ
Mike Ashley
aa59a1a2f0
Correct special-casing of z-push Apache configuration
8 gadus atpakaļ
Stuart Read
e444efa2b4
Add jessie to special-casing for modern apache conf.d handling.
8 gadus atpakaļ
Stuart Read
22ef6be96e
Revert "Z-push apache config: Jessie also uses conf-available/conf-enabled"
This reverts commit 6b53da4bdc .
Using a different approach to maintain wheezy compatibility
8 gadus atpakaļ
Stuart Read
6b53da4bdc
Z-push apache config: Jessie also uses conf-available/conf-enabled
9 gadus atpakaļ
rokaz
a8a0905738
Fix dependency for Solr
9 gadus atpakaļ
Alex Payne
b3dc1b00e9
Correct Tomact config file name.
9 gadus atpakaļ
Alex Payne
69abd70297
Remove references to Debian 7
9 gadus atpakaļ
Alex Payne
2352d2d67e
OpenDMARC running under Postgres (?)
9 gadus atpakaļ
Alex Payne
7275a52ba6
Update to Tomcat 8
9 gadus atpakaļ
Alex Payne
34d537fcf2
Remove Dovecot installation for older distros
9 gadus atpakaļ
Alex Payne
2e966fe790
Don't need older Postgres anymore
9 gadus atpakaļ
Alex Payne
b674e0a669
Unified Solr installation across distros
9 gadus atpakaļ
Alex Payne
ecaa4c2330
Partially working Rspamd replacement for dspam
9 gadus atpakaļ
Alex Payne
58a4532fe7
Better permission handling for OpenDMARC.
Resolves #400 .
9 gadus atpakaļ
Alex Payne
417403f534
Use {{ mail_server_hostname }} over mail.servername
Resolves #402 .
9 gadus atpakaļ
Alex Payne
7bb62ca678
Explicitly require MySQL server as part of OpenDMARC isntall.
Resolves #410 .
9 gadus atpakaļ
Miloš Hadžić
d823ed0848
Use lmtp instead of lda for delivery.
9 gadus atpakaļ
Pavel Karoukin
a86e43d5b4
Couple issues with OpenDMARC on Debian 7:
* fix mail_db_opendmarc_username/mail_db_opendmarc_password variable
not found.
* python-mysqldb package is required. Add it to opendmarc task.
9 gadus atpakaļ
Laurent Arnoud
21e0110684
Ignore copy tasks
9 gadus atpakaļ
Laurent Arnoud
a09e2e71c1
tar used in place of unarchive module
9 gadus atpakaļ
Will McCutchen
16b66cc849
Define apache SSL config in one place
9 gadus atpakaļ
Alex Payne
26d61c68a8
Implement OpenDMARC. Resolves #369 .
9 gadus atpakaļ
Manfred Touron
16c93ea486
Using more verbose 'dependencies' tag (#393 )
9 gadus atpakaļ
Manfred Touron
b49f3a6586
Tagged 'deps' aptitude tasks
9 gadus atpakaļ
John Rogerson
f72e1d2350
Update dovecot version from wheezy backports
For correct implementation of the fix for logjam attack (https://github.com/sovereign/sovereign/pull/372 ), state=latest is needed to grab sufficient version of Dovecot. If not then 37aa7e2cb5 doesn't work.
9 gadus atpakaļ
Sven Neuhaus
a088d9c456
Use "modern" SSLCipherSuite per Mozilla recommendations.
See https://wiki.mozilla.org/Security/Server_Side_TLS for details.
Removes RC4 cipher. Fixes issue #341 .
Also explicitly disabled SSLCompression and enables OCSP stapling.
We should put all these settings in
/etc/apache2/mods-enabled/ssl.conf
to avoid duplication...
9 gadus atpakaļ