Age | Commit message (Collapse) | Author |
|
#3667)
|
|
Conflicts:
puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
Change-Id: I51555935f9d9409e45809d6df021b10e926ea520
|
|
admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694)
Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4
|
|
Change-Id: Iae2b1cacd64565931cef77194a733aeae681efaf
|
|
not sending a HELO (#3693)
Change-Id: I6a7338136a53e16962a070826493139fa3307df7
|
|
|
|
|
|
We currently disable the billing gem in production while it's on in development and test. Therefore bundler will not install its dependencies - in particular the braintree gem when deploying.
Since the RAILS_ENV was not specified rake was called with the default of 'development'. It therefore tried to load the development gems and failed when looking for 'braintree'. Specifying the production RAILS_ENV fixes this. It looks like we'll always need to specify RAILS_ENV when calling rake or we might want to export it to the environment in a separate task or the user config files such as .bashrc
|
|
to the more restrictive TLS wrapper mode
Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa
|
|
smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port
move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions
make a note about the permit_tls_all_clientcerts being something that we don't want in the future
remove check_sender_access check which was doing an unnecessary lookup
Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc
|
|
|
|
|
|
|
|
|
|
over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604)
. enable smtps (port 465) for client submission over TLS, and require that TLS is enabled
. add 465 to the allowed open ports in the firewall
. change the smtp-service.json to use 465 instead of 25
note: I did not use the 'use_smtps' parameter that is available in the postfix
class because it added some options that we do not want/need.
Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02
|
|
more than once in different locations, depending on what services are configured on a node (#3612)
Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770
|
|
Change-Id: I5fe6912f3774ae87c595ca1dcac60a61e24de9e5
|
|
|
|
necessary databases anymore (Bug #3594)
|
|
|
|
|
|
|
|
git://labs.riseup.net/shared-postfix)
|
|
|
|
|
|
|
|
Change-Id: Ia4e36e9cb2b37172a148c209c5c07b9eca59d89e
|
|
|
|
|
|
|
|
|
|
|
|
Change-Id: Ia35cf7a9fc1d0fad6a57bbae73968ab6b8f0c847
|
|
. create a soledad::common class
. leap-mx now only needs to include soledad-common
. move the site_apt::preferences::twisted to a preferences block inside the soledad server class
. make sure that the packages are doing 'ensure => latest' instead of installed
Change-Id: Ifa978e831cdc8835666b27322a6e068d67251f5d
|
|
Change-Id: I341628d0f36225ce49ae301246e7c152553efcae
|
|
|
|
|
|
|
|
|
|
|
|
You can either ensure assume-unchanged or ensure those changes are tracked.
Used to keep the git status clean.
|
|
Git normally tracks the dummy files we replace with symlinks. So we tell it to ignore these changes on deploy.
|
|
|
|
|
|
|
|
cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339)
Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38
|
|
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
|
|
The LEAP web application can be displayed inside other pages using an HTML
iframe. Therefore, an attacker can embed parts of the LEAP application inside
of a webpage they control. They can then use special style properties to
disguise the embedded page. By tricking a user in to clicking in the iframe, the
attacker can coerce the user in to performing unintended actions within the LEAP
web application.
An attacker creates a website that embeds the LEAP web application in an iframe.
They then create an HTML /JavaScript game on the same page that involves
clicking and dragging sprites. When a user plays the game, they are in fact
dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app,
which is hidden behind the game using
As long as iframe embedding is not required in the normal usage of the
application, the X-Frame-Options header should be added to prevent browsers from
displaying the web application in frames on other origins.
This has also been set in the webapp
Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d
|
|
. Disable ServerSignature
. Set ServerTokens Prod
. unset the X-Powered-By and X-Runtime apache headers
Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
|
|
Change-Id: Icad17de812392d7c587e5bcbf60cd5242c1241e9
|