post icon [news] [activity] Projects Activities
[2020-08-04 05:50 +0200] WIP DuckCorp Infrastructure> Revision a9d0557e (duckcorp-infra): apt: update repo signing key
[2020-07-29 17:38 +0200] WIP DuckCorp Infrastructure> Revision b093e6e0 (duckcorp-infra): dc-base: update logcheck ignore rules
[2020-07-29 17:38 +0200] WIP DuckCorp Infrastructure> Revision bf0b1ead (duckcorp-infra): : update debsums ignore list
[2020-07-26 12:03 +0200] WIP DuckCorp Infrastructure> work
[2020-07-26 12:03 +0200] NEWS DuckCorp Infrastructure> work
[2020-07-17 16:16 +0200] WIP DuckCorp Infrastructure> Revision 2b0f2277 (duckcorp-infra): Merge branch 'gorou-add-alias'
[2020-07-17 16:14 +0200] WIP DuckCorp Infrastructure> Revision fa939250 (duckcorp-infra): gorou account: add another mail alias
[2020-07-17 12:25 +0200] WIP DuckCorp Infrastructure> Revision 36a32dbe (duckcorp-infra): add to MTA client_access
[2020-07-13 15:02 +0200] DONE DuckCorp Infrastructure> Review #704 (Resolved): duckcorp-infra: move supervision server
[2020-07-13 15:02 +0200] WIP DuckCorp Infrastructure> Enhancement #708 (New): Care about /etc/hosts
Word from the Admin Team
[archives] « Autumn Updates »


Improved Webmail

As you must have seen the webmail was upgraded and much more modern theme which can now be used on a mobile phone. The old theme is still available and it can be changed in your settings if your preferred it.

There are many little improvements and fixes which are not immediately visible but should improve our daily life. The support for Mailvelope, to be able to encrypt/sign mails from your browser, without disclosing your key to the server, is supposed to be improved but I was not able to enjoy it yet. I will come back to you when I have more time to test but feedback is welcome too.

To secure your login TOTP is also available. After the upgrade there is a small problem though: the QR code does not show up in the new theme, please switch back temporarily to the Larry theme in your settings. More details on how to use it in the documentation:

Web Security

We are adding extra security features to our hosted web hosts and especially for our services we are limiting the content and features a website can use (using various headers and especially CSP).

On of the consequence is the webmail will not accept unsecure links. I just discovered it should be possible to upgrade the link to a secure version on the fly, which should solve most usability problems; I will work on this soon. If it is blocked, then it is unsafe and your browser logs should say so.

If you want to protect your personal website, please contact us; safe settings are applied everywhere but only fully-managed services will be upgraded automagically, as knowledge of the site’s content is needed to protect without breaking.

Stuffcloud Talk

Now that Toushirou has a new body, and also some software upgrades, this video chat application is working fine so far, enjoy.

DNS Security

Our main zones are already secured (DNSSEC) but we changed the underlying software (OpenDNSSEC to Bind inline-signing). This simplifies a lot of things even if it is not yet perfect.

With these changes we are able to secure dynamic zones easily and the DDNS zone is now safe. It also makes things possible on the PKI side (see below),


Some time ago we began use Let’s Encrypt to generate HTTPS certificate that would be trusted by all major browsers. This is working fine and the automation is great. Nevertheless we still kept our non-web services under the umbrella of our custom DuckCorp CA. There are initiatives to secure the web but they all rely on the infamous self-appointed CAs. Despite this, bringing services and user software to use secure connections is important, so we decided to use Let’s Encrypt for more services. Currently this only affects SMTP servers but more will follow. This should improve the trust the big providers/corporation on the Internet give to our server (like our mails landing on your recipient’s SPAM box for no good reason). The work done on the DNS allows us to deploy Let’s Encrypt certificates for non-web services (using the DNS challenge).

Using an external CA is not necessarily giving away the extra security we had with our custom CA. There is a method (DANE) to publish our certificates for each service via the DNS on a secure zone, which we do have. We were already publishing them for non-web services but it had to be reimplemented to work with Let’s Encrypt. We should then have the best of both worlds.

Mail Security

We’ve reinforced the security level of various services (TLS settings…) and especially the SMTP and IMAP part.

For SMTP we are now using a set of servers protected by DNSSEC with published certificates (DANE). We also advertise a policy to enforce secure connections (MTA-SAS, the HSTS of the mail).


Previously we were quite unforgiving with badly configured servers sending badly formatted or unresolvable introduction (HELO), but a lot of providers have very bad practices and this caused some difficulties to use certain services. We are now using Rspamd filters which are weighting these problems among other things to discover if a mail is really a SPAM and we have relaxed the previous SMTP rules.

IPv6 broker

We lost our dedicated IP block quite some time ago and there was an expensive way to get another. As funny as this service was, not so many people cared about IPv6 and now that most Internet connections have it included it has been a very long time anyone asked for it. This was de facto over but now it’s official.

These are quite important changes to our infra. If you encounter any problem, please let us know. And enjoy the autumn leaf viewing too! :-)



  • Not f'd — you won't find me on Facebook

Special Support

  • FSF Member Logo
  • DUC Logo


  • Hivane
  • Nerim