Merge 9eb7e058be into 8548ede638

setup/functions.sh

@@ -132,6 +132,14 @@ function ufw_allow {
 	fi
 }
 
+# Adds a limit rule allowing 6 in 30 sec
+function ufw_limit {
+	if [ -z "$DISABLE_FIREWALL" ]; then
+		# ufw has completely unhelpful output
+		ufw limit $1 > /dev/null;
+	fi
+}
+
 function restart_service {
 	hide_output service $1 restart
 }

setup/mail-dovecot.sh

@@ -38,7 +38,30 @@ apt_install \
 # would be 20 users). Set it to 250 times the number of cores this
 # machine has, so on a two-core machine that's 500 processes/100 users).
 tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
-	default_process_limit=$(echo "`nproc` * 250" | bc)
+	default_process_limit=$(echo "`nproc` * 250" | bc) \
+	log_path = /var/log/dovecot.log
+
+# Set the log file for dovecot to it's own to avoid loading up
+# syslog with excessive log events
+tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
+	log_path = /var/log/dovecot.log
+
+# Add logrotate entry for dovecot
+cat > /etc/dovecot/conf.d/90-plugin-fts.conf << EOF;
+/var/log/dovecot*.log {
+  missingok
+  notifempty
+  delaycompress
+  sharedscripts
+  postrotate
+    doveadm log reopen
+  endscript
+}
+EOF
+
+# set ownership and permissions for dovecot log file
+chown syslog:adm /var/log/dovecot.log
+chmod 640 /var/log/dovecot.log
  
 # The inotify `max_user_instances` default is 128, which constrains
 # the total number of watched (IMAP IDLE push) folders by open connections.
@@ -200,11 +223,11 @@ mkdir -p $STORAGE_ROOT/mail/sieve/global_after
 chown -R mail.mail $STORAGE_ROOT/mail/sieve
 
 # Allow the IMAP/POP ports in the firewall.
-ufw_allow imaps
-ufw_allow pop3s
+ufw_limit imaps
+ufw_limit pop3s
 
 # Allow the Sieve port in the firewall.
-ufw_allow sieve
+ufw_limit sieve
 
 # Restart services.
 restart_service dovecot

setup/system.sh

@@ -229,7 +229,7 @@ if [ -z "$DISABLE_FIREWALL" ]; then
 	apt_install ufw
 
 	# Allow incoming connections to SSH.
-	ufw_allow ssh;
+	ufw_limit ssh;
 
 	# ssh might be running on an alternate port. Use sshd -T to dump sshd's #NODOC
 	# settings, find the port it is supposedly running on, and open that port #NODOC
@@ -239,7 +239,7 @@ if [ -z "$DISABLE_FIREWALL" ]; then
 	if [ "$SSH_PORT" != "22" ]; then
 
 	echo Opening alternate SSH port $SSH_PORT. #NODOC
-	ufw_allow $SSH_PORT #NODOC
+	ufw_limit $SSH_PORT #NODOC
 
 	fi
 	fi

setup/web.sh

@@ -106,6 +106,6 @@ restart_service nginx
 restart_service php5-fpm
 
 # Open ports.
-ufw_allow http
-ufw_allow https
+ufw_limit http
+ufw_limit https