Age | Commit message (Collapse) | Author | |
---|---|---|---|
2013-10-06 | It turns out postfix's variable for 1024bit DH parameters can actually take ↵0.3.0rc3 | Micah Anderson | |
a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5 | |||
2013-10-06 | implement stripping user's home IPs from Received headers (#3866) | Micah Anderson | |
Change-Id: I6d78286f84144bba5fd3166cc0264570e4fd3ee0 | |||
2013-10-06 | only use TLSv1 or later for smtp (Feature #4011) | Micah Anderson | |
Disable on the client-side with postfix (smtp) SSLv2/SSLv3 and only allow for TLSv1 or later SMTP servers almost universally support TLSv1. There are very few servers that don't (the few that are would result sending in the clear for these, but the alternative isn't much better). This is unlikely to cause any significant problems. Change-Id: I8f98ba32973537905b71f63b100f41a420b6aa3f | |||
2013-10-03 | fix name of base class file | Micah Anderson | |
Change-Id: I844970f1c8f895d5a460d5082bfa1a2a88b32ecd | |||
2013-10-03 | Merge branch 'feature/3953' into develop | Micah Anderson | |
2013-10-03 | It turns out postfix's variable for 1024bit DH parameters can actually take ↵ | Micah Anderson | |
a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5 | |||
2013-10-02 | setup smtpd_tls_eecdh_grade to 'ultra' and configure the ↵ | Micah Anderson | |
smtpd_tls_dh1024_param file, after generating it (#3953) Change-Id: I8e88a4862cda052c2f0ca0149f1d0753c7c83cb5 | |||
2013-10-02 | Merge branch 'bug/3869' into develop | Micah Anderson | |
2013-10-02 | Merge branch 'bug/3959' into develop | Micah Anderson | |
2013-10-02 | Merge branch 'feature/3955' into develop | Micah Anderson | |
2013-10-02 | only add vpn_(un)?limited_udp_resolver and vpn_(un)?limited_tcp_resolver ↵ | Micah Anderson | |
lines to unbound.conf if the openvpn package is installed (#3868) Change-Id: I65852660a606ccea7569b2207bd535bd8aa3867c | |||
2013-09-26 | set myhostname in postfix the internet hostname of this mail system. The ↵ | Micah Anderson | |
default would otherwise be set to be something like starfish.local instead of the fully qualified domain (#3869) Change-Id: I4a537402de08b41446d344d8c21973b8d09e7ad6 | |||
2013-09-26 | Merge branch 'bug/3868' into develop | Micah Anderson | |
2013-09-26 | create a site_config::packages directory, move site_config::base_packages to ↵ | Micah Anderson | |
site_config::packages::base add site_config::packages::gnutls for inclusion (#3955) Change-Id: I9599eb26844503613c16f57ee17d6ea7bd0cf6fb | |||
2013-09-26 | Add client-side TLS configuration (#3868) | Micah Anderson | |
Change-Id: I0b82930f6f6a453e57f1d57fd8b5df78d464e206 | |||
2013-09-26 | Merge branch 'bug/3868' into develop | Micah Anderson | |
2013-09-26 | properly set the $smtps_recipient_restrictions variable in master.cf (#3935) | Micah Anderson | |
Change-Id: Ia5f35977b3dad08c10256f0281ab36ffb230c9fd | |||
2013-09-25 | add smtp_tls_received_header to include information about the protocol and ↵ | Micah Anderson | |
cipher used as well as the client and issuer CommonName into the "Received:" header Also, clean up the parameters to standardize them Change-Id: Ib6be27f0f93e0a9e20fbdffa1d42220a25fc8ed4 | |||
2013-09-25 | openvpn is restarted before package is installed (Bug #3904) | varac | |
2013-09-25 | recent couchdb puppet - requires git submodule update | Azul | |
2013-09-24 | deploy client_ca on webapp node | varac | |
2013-09-24 | webapp leftover for seperate cert and key deployment (Feature #3918) | varac | |
2013-09-24 | fix client_ca cert+key for mx service (Feature #3921) | varac | |
2013-09-24 | added site_config::x509::client_ca::cert and ↵ | varac | |
site_config::x509::client_ca::key for client_ca deployment (#3917) | |||
2013-09-24 | https://bitmask.net/ca.crt gives 403 Forbidden (Bug #3919) | varac | |
2013-09-24 | Webapp doesn't serve commercial cert (Bug #3916) | varac | |
2013-09-24 | move commercial x509 deployment to site_x509 (Feature #3889) | varac | |
2013-09-24 | seperate cert and key deployment (#3918) | varac | |
2013-09-22 | Merge branch 'api-crt-3384' into develop fixes #3384 | kwadronaut | |
2013-09-22 | adding fqdn as default servername and moving service.domain to ServerAlias ↵ | kwadronaut | |
(fixing #3384) node name and dns fqdn could be different Also note that on local deploys that warning from #3384 will continue to exist (because of dns) | |||
2013-09-20 | use newer haproxy_servers macro in order to allow couchdb and webapp to be ↵ | elijah | |
on the same node (requires latest leap_cli) | |||
2013-09-20 | Merge branch 'feature/3782_Discuss_run_stages_on_deploy' into develop | varac | |
2013-09-20 | move all resources that are applied on every node into site_config::default ↵ | varac | |
(#3782) in commit 338833, we established a relationship between all resources that have a leap_service tag, that are called in site.pp. But we had some resources as default on every node in site.pp (apt::update, Package { require => Exec['apt_updated'] }, site_config::slow and stdlib), that were still lacking any relationship to the leap_service tag. By moving them into default.pp they automatically are executed before resources with a leap_service tag. | |||
2013-09-20 | fix whitespace issues from https://review.leap.se/r/82 | varac | |
2013-09-19 | fix x509 path in webapp config.yml.erb (#3894) | varac | |
2013-09-19 | tidy soledad x509 definitions (#3841) | varac | |
2013-09-19 | tidy webapp api x509 definitions (#3840) | varac | |
2013-09-19 | tidy nickserver x509 definitions (#3842) | varac | |
2013-09-19 | webapp: Depend services on deployment of default key, cert and ca (Feature ↵ | varac | |
#3838) | |||
2013-09-19 | Depend services on deployment of default key, cert and ca (Feature #3838) | varac | |
2013-09-19 | soledad should use default key, cert and ca (Feature #3841) | varac | |
2013-09-19 | tidy openvpn x509 definitions (#3831) | varac | |
2013-09-19 | only deploy x509 stuff for nodes if it existes in hiera (Feature #3875) | varac | |
2013-09-19 | Merge branch 'develop' of ssh://code.leap.se/leap_platform into develop | varac | |
2013-09-18 | Setup a class dependency for every tag 'leap_service' to make sure that ↵ | Micah Anderson | |
shorewall is setup before the service is setup. This is necessary due to the strict initial firewall that stops various service setup operations from happening, but is relaxed once shorewall is setup properly (#3782) Change-Id: Ia9640c4118aa0053cdb99e7bc11860fed5527501 | |||
2013-09-18 | use x509 for postfix ca and fix names for cert+key (Feature #3833) | varac | |
2013-09-18 | deploy client_ca (#3833) | varac | |
2013-09-18 | openvpn should use /usr/local/share/ca-certificates/leap_ca.crt (Feature #3831) | varac | |
2013-09-17 | fix stunnel module so that code was not removed accidentally | Micah Anderson | |
Change-Id: Ia236eb5b7609d9f96970230fce4d0051d832e3cb | |||
2013-09-17 | shorewall: #2399 blocks uplink (Bug #2866) | varac | |