Age | Commit message (Collapse) | Author | |
---|---|---|---|
2013-09-03 | Work around for shorewall not being available at the site_config stage (#3339) | Micah Anderson | |
Change-Id: Id3138cb967f76380b7f4e22ce862a099cb47669e | |||
2013-09-03 | use check_helo_access hash:/helo_checks also for $submission_helo_restrictions | varac | |
2013-09-03 | fix $master_cf_tail format | varac | |
2013-09-03 | Sending mail fails when relaying using non-fully-qualified hostname (Feature ↵ | varac | |
#3667) | |||
2013-09-03 | Merge branch 'feature/helo_access' into develop | Micah Anderson | |
Conflicts: puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp Change-Id: I51555935f9d9409e45809d6df021b10e926ea520 | |||
2013-09-03 | add /etc/postfix/checks directory and setup a check_helo_access that allows ↵ | Micah Anderson | |
admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694) Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4 | |||
2013-09-03 | require that shorewall has been installed before execs are run (#3339) | Micah Anderson | |
Change-Id: Iae2b1cacd64565931cef77194a733aeae681efaf | |||
2013-09-03 | Without smtpd_helo_required, the helo restrictions are easily bypassed by ↵ | Micah Anderson | |
not sending a HELO (#3693) Change-Id: I6a7338136a53e16962a070826493139fa3307df7 | |||
2013-09-02 | disable postfix debugging by default | varac | |
2013-09-02 | create all webapp databases so _security is set (fixes 3517) | Azul | |
2013-09-02 | specify RAILS_ENV when calling bundle assets-precompile (fixes #3638) | Azul | |
We currently disable the billing gem in production while it's on in development and test. Therefore bundler will not install its dependencies - in particular the braintree gem when deploying. Since the RAILS_ENV was not specified rake was called with the default of 'development'. It therefore tried to load the development gems and failed when looking for 'braintree'. Specifying the production RAILS_ENV fixes this. It looks like we'll always need to specify RAILS_ENV when calling rake or we might want to export it to the environment in a separate task or the user config files such as .bashrc | |||
2013-08-31 | postfix enable submission port using starttls, so the client can transition ↵ | Micah Anderson | |
to the more restrictive TLS wrapper mode Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa | |||
2013-08-31 | change the master.cf_tail to pull in -o ↵ | Micah Anderson | |
smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions make a note about the permit_tls_all_clientcerts being something that we don't want in the future remove check_sender_access check which was doing an unnecessary lookup Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc | |||
2013-08-30 | updated submodule couchdb: couchdb: update_user_webapp fails (Bug #3611) | varac | |
2013-08-30 | create sessions db with puppet (Bug #3597) | varac | |
2013-08-29 | Merge branch 'feature/3604' into develop | Micah Anderson | |
2013-08-29 | Merge branch 'bug/3612' into develop | Micah Anderson | |
2013-08-29 | Make TLS-required smtps (465) be port for sending SMTP. This is preferred ↵ | Micah Anderson | |
over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02 | |||
2013-08-29 | create individual classes for the apache modules so they can be included ↵ | Micah Anderson | |
more than once in different locations, depending on what services are configured on a node (#3612) Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770 | |||
2013-08-29 | change the name of the couch_database in the nickserver.yaml to the new one | Micah Anderson | |
Change-Id: I5fe6912f3774ae87c595ca1dcac60a61e24de9e5 | |||
2013-08-29 | updated submodule couchdb, fixed merge resolution error from last merge | varac | |
2013-08-29 | updated submodule couchdb, fix puppet couchdb module doesn't create ↵ | varac | |
necessary databases anymore (Bug #3594) | |||
2013-08-29 | fix smtpd mail restrictions (Feature #3166) | varac | |
2013-08-29 | Deploy postfix with an empty main.cf as beginning (Feature #3584) | varac | |
2013-08-29 | re-added submodule postfix from git://code.leap.se/puppet_postfix (#3584) | varac | |
2013-08-29 | removed submodule "puppet/modules/postfix" (url: ↵ | varac | |
git://labs.riseup.net/shared-postfix) | |||
2013-08-28 | SMTP checks (Feature #2304) | varac | |
2013-08-28 | Merge branch 'feature/3579' into develop | Micah Anderson | |
2013-08-28 | Merge branch 'bug/3491' into develop | Micah Anderson | |
2013-08-28 | apache headers module needs to be enabled on the monitor server (#3462) | Micah Anderson | |
Change-Id: Ia4e36e9cb2b37172a148c209c5c07b9eca59d89e | |||
2013-08-28 | Merge branch 'feature/clean-webapp-deploy' into develop | Azul | |
2013-08-28 | updated submodule stdlib to obtain facts that show netmask in cidr notation | varac | |
2013-08-28 | require VCS repo before git assume-unchanged (feature #1608) | Azul | |
2013-08-28 | integrate manual postfix config changes in puppet (Feature #3538) | varac | |
2013-08-28 | added site_postfix::debug for debugging (#3538) | varac | |
2013-08-27 | setup bigcouch logrotation (#3491) | Micah Anderson | |
Change-Id: Ia35cf7a9fc1d0fad6a57bbae73968ab6b8f0c847 | |||
2013-08-27 | now that soledad has been split we can better organize things (#3579) | Micah Anderson | |
. create a soledad::common class . leap-mx now only needs to include soledad-common . move the site_apt::preferences::twisted to a preferences block inside the soledad server class . make sure that the packages are doing 'ensure => latest' instead of installed Change-Id: Ifa978e831cdc8835666b27322a6e068d67251f5d | |||
2013-08-27 | fix name of initial_firewall.pp file (#3339) | Micah Anderson | |
Change-Id: I341628d0f36225ce49ae301246e7c152553efcae | |||
2013-08-27 | Merge branch 'develop' of ssh://code.leap.se/leap_platform into develop | varac | |
2013-08-27 | tor service:obfuscate contact email addr (Feature #3479) | varac | |
2013-08-27 | updated submodule stdlib to obtain 'obfuscate_email' function (#3479) | varac | |
2013-08-27 | move git::changes into git module, whitespace fix | Azul | |
2013-08-27 | specify cwd when using git:changes | Azul | |
2013-08-27 | git:changes expect changes to certain files | Azul | |
You can either ensure assume-unchanged or ensure those changes are tracked. Used to keep the git status clean. | |||
2013-08-27 | make git forget about the changes due to symlinking files | Azul | |
Git normally tracks the dummy files we replace with symlinks. So we tell it to ignore these changes on deploy. | |||
2013-08-27 | updated submodule couchdb | varac | |
2013-08-27 | updated submodule couchdb | varac | |
2013-08-22 | Merge branch 'bug/3339' into develop | Micah Anderson | |
2013-08-22 | install a preliminary firewall that blocks everything, except ssh for the ↵ | Micah Anderson | |
cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38 | |||
2013-08-22 | add HSTS if hiera value for webapp['secure'] is set (#3514) | Micah Anderson | |
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab |