| Age | Commit message (Collapse) | Author |
|---|
|
smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port
move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions
make a note about the permit_tls_all_clientcerts being something that we don't want in the future
remove check_sender_access check which was doing an unnecessary lookup
Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc
|
|
|
|
|
|
|
|
|
|
over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604)
. enable smtps (port 465) for client submission over TLS, and require that TLS is enabled
. add 465 to the allowed open ports in the firewall
. change the smtp-service.json to use 465 instead of 25
note: I did not use the 'use_smtps' parameter that is available in the postfix
class because it added some options that we do not want/need.
Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02
|
|
more than once in different locations, depending on what services are configured on a node (#3612)
Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770
|
|
Change-Id: I5fe6912f3774ae87c595ca1dcac60a61e24de9e5
|
|
|
|
necessary databases anymore (Bug #3594)
|
|
|
|
|
|
|
|
git://labs.riseup.net/shared-postfix)
|
|
|
|
|
|
|
|
Change-Id: Ia4e36e9cb2b37172a148c209c5c07b9eca59d89e
|
|
|
|
|
|
|
|
|
|
|
|
Change-Id: Ia35cf7a9fc1d0fad6a57bbae73968ab6b8f0c847
|
|
. create a soledad::common class
. leap-mx now only needs to include soledad-common
. move the site_apt::preferences::twisted to a preferences block inside the soledad server class
. make sure that the packages are doing 'ensure => latest' instead of installed
Change-Id: Ifa978e831cdc8835666b27322a6e068d67251f5d
|
|
Change-Id: I341628d0f36225ce49ae301246e7c152553efcae
|
|
|
|
|
|
|
|
|
|
|
|
You can either ensure assume-unchanged or ensure those changes are tracked.
Used to keep the git status clean.
|
|
Git normally tracks the dummy files we replace with symlinks. So we tell it to ignore these changes on deploy.
|
|
|
|
|
|
|
|
cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339)
Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38
|
|
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
|
|
The LEAP web application can be displayed inside other pages using an HTML
iframe. Therefore, an attacker can embed parts of the LEAP application inside
of a webpage they control. They can then use special style properties to
disguise the embedded page. By tricking a user in to clicking in the iframe, the
attacker can coerce the user in to performing unintended actions within the LEAP
web application.
An attacker creates a website that embeds the LEAP web application in an iframe.
They then create an HTML /JavaScript game on the same page that involves
clicking and dragging sprites. When a user plays the game, they are in fact
dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app,
which is hidden behind the game using
As long as iframe embedding is not required in the normal usage of the
application, the X-Frame-Options header should be added to prevent browsers from
displaying the web application in frames on other origins.
This has also been set in the webapp
Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d
|
|
. Disable ServerSignature
. Set ServerTokens Prod
. unset the X-Powered-By and X-Runtime apache headers
Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
|
|
Change-Id: Icad17de812392d7c587e5bcbf60cd5242c1241e9
|
|
Change-Id: I474cc691fcfc892b7aff4a3a0e3954155bf5ee30
|
|
backport twisted 13. In order to install the backported dependencies we need an apt preferences_snippet installed for the backported twisted packages
Change-Id: I886bb735eeb3abe7955c7cf054b749554ab84746
|
|
requires this to start. Closes: #3474
Change-Id: I921dcf0d6571cd60d2705ae4925d0a4318c84fa2
|
|
|
|
made to create databases or add users as these would fail otherwise. Closes: #3466
Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0
|
|
Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7
|
|
Change-Id: I20a6ecc43e36fc1e8416c46f7e4d14726995d2f2
|
|
squashed commits:
site_squid_deb_proxy::client: include shorewall::rules::mdns for avahi discovery
added submodule squid_deb_proxy from git://code.leap.se/puppet_squid_deb_proxy
updated submodule squid_deb_proxy
use squid_deb_proxy::client
|
|
made to create databases or add users as these would fail otherwise. Closes: #3466
Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0
|
