Logging configuration updates
Restrictions on postfix
Adding rate limiting and proper security to the postfix images by
default.
Loki config fix
Loki seems to immediately fall over itself given default configurations.
Too many requests due to too much sharding/parallelization? Hard for me
to say. In any case, by changing `parallelise_shardable_queries`, and by
making `max_outstanding_per_tenant` and `split_queries_by_interval`
settings explicit (because in theory these are already the default
settings...), I hope to acheive a more robust service.
Logging stack
syslog-ng -> promtail -> loki -> grafana
A new tag for haproxy which supports syslog logging with practically no
configuration required.
Advertise last commit's tag
Adding a WebDAV variant of Nginx
Addendum to re-fixing encryption
Re-fixing encryption
So while I will continue to prefer port 465, in order to support
public-facing port 587, it really is best to enable wrapper mode only
for the appropriate service. In which case, it should be enabled in
`master.cf` NOT `main.cf`.
Also, to better set relay restrictions, I'm fixing `mydestinations` and
adding `relay_domains`.
Fix encryption setup
Configuration was a bit confused on account of running both SMTPD and
Submission ports. I am going to prefer port 465 with implicit TLS, and
to correctly support that mode I am setting wrapper mode on.
Proxy and TLS updates
Include configuration for proxying on HTTP 1.1, which enabled keepalive.
Also adding configuration for automatic connection upgrading as needed.
Update configuration for TLS ciphers.
Include a simple configuration file for enabling encryption.
Adding recipient_canonical maps to Postfix
Continuation of Postfix redesign
It took frustratingly long to realize that the widely publicized home
for SASL (database in `/etc/sasldb2`, configurations in
`/etc/postfix/sasl`) are at least completely wrong for Alpine Linux, and
probably completely wrong for most distributions. (Everything is in
`/etc/sasl2`, in case you're wondering.)
Logging to stderr is added. One guess as to why I needed to add this.
I've also learned that while bracketing a hostname (i.e.
`smtp:[mail.realy.com]:25`) halts MX record lookups, it does *not* halt
A record lookups. To ensure accurate delivery of mail, Postfix
would much prefer to use public DNS over local name resolution. Luckily
I agree with this design; the opposite behavior only makes sense if a
server isn't delivering to the open internet at all. Precisely the
intended use of the `:tls-in` image. So, that image will no longer do DNS.
Postfix redesign
Now there are three images tags for `postfix`. `:latest` uses encryption
and authentication for inbound and outbound mail. It listens on posts 25
and 465. Because it authenticates, I dropped the requirement for
senders to have a LAN IP.
`:tls-in` drops outbound encryption and authentication. This is
generally going to be useful for receiving mail and handing it to a
local service.
`:tls-out` drops inbound encryption and authentication and listining on
port 465. This is useful for relaying mail off of a trusted host.