diff options
-rw-r--r-- | roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf | 21 | ||||
-rw-r--r-- | roles/IMAP-proxy/files/etc/stunnel/stunnel.conf | 22 | ||||
-rw-r--r-- | roles/IMAP-proxy/tasks/main.yml | 13 | ||||
-rw-r--r-- | roles/webmail/files/etc/nginx/sites-available/roundcube | 1 | ||||
-rw-r--r-- | roles/webmail/tasks/roundcube.yml | 2 | ||||
-rw-r--r-- | roles/webmail/templates/etc/postfix/main.cf.j2 | 7 |
6 files changed, 42 insertions, 24 deletions
diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf index 9c50531..e2225c3 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf @@ -146,13 +146,6 @@ mail_gid = imapproxy # never: Never use it (best performance, but crashes can lose data) #mail_fsync = optimized -# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches -# whenever needed. If you're using only a single mail server this isn't needed. -#mail_nfs_storage = no -# Mail index files also exist in NFS. Setting this to yes requires -# mmap_disable=yes and fsync_disable=no. -#mail_nfs_index = no - # Locking method for index files. Alternatives are fcntl, flock and dotlock. # Dotlocking uses some tricks which may create more disk I/O than other locking # methods. NFS users: flock doesn't work, remember to change mmap_disable. @@ -165,14 +158,14 @@ mail_gid = imapproxy # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. -first_valid_uid = 1 +#first_valid_uid = 500 #last_valid_uid = 0 # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user # belongs to supplementary groups with non-valid GIDs, those groups are # not set. -first_valid_gid = 1 +#first_valid_gid = 1 #last_valid_gid = 0 # Maximum allowed length for mail keyword name. It's only forced when trying @@ -205,12 +198,16 @@ first_valid_gid = 1 # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. -mail_plugins = virtual +mail_plugins = virtual zlib ## ## Mailbox handling optimizations ## +# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are +# also required for IMAP NOTIFY extension to be enabled. +mailbox_list_index = yes + # The minimum number of mails in a mailbox before updates are done to cache # file. This allows optimizing Dovecot's behavior to do less disk writes at # the cost of more disk reads. @@ -262,6 +259,10 @@ mail_plugins = virtual # broken size. The performance hit for enabling this is very small. #maildir_broken_filename_sizes = no +# Always move mails from new/ directory to cur/, even when the \Recent flags +# aren't being reset. +#maildir_empty_new = no + ## ## mbox-specific settings ## diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf index e77b557..f1c2a16 100644 --- a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf +++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf @@ -39,24 +39,30 @@ socket = r:TCP_NODELAY=1 ; Authentication stuff needs to be configured to prevent MITM attacks verify = 4 -; Disable support for insecure SSLv2 protocol +; Disable support for insecure protocols options = NO_SSLv2 -; Workaround for Eudora bug -;options = DONT_INSERT_EMPTY_FRAGMENTS +options = NO_SSLv3 +options = NO_TLSv1 +options = NO_TLSv1.1 ; These options provide additional security at some performance degradation -;options = SINGLE_ECDH_USE -;options = SINGLE_DH_USE +options = SINGLE_ECDH_USE +options = SINGLE_DH_USE + +ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [imaps] -accept = localhost:993 +accept = localhost:143 connect = imap.fripost.org:993 CAfile = /etc/stunnel/certs/imap.fripost.org.pem -options = NO_SSLv3 -ciphers = ECDH+AES:DH+AES + +[ldaps] +accept = localhost:389 +connect = ldap.fripost.org:636 +CAfile = /etc/stunnel/certs/ldap.fripost.org.pem ; vim:ft=dosini diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml index 41bb7a3..2ddba96 100644 --- a/roles/IMAP-proxy/tasks/main.yml +++ b/roles/IMAP-proxy/tasks/main.yml @@ -73,17 +73,26 @@ notify: - Restart stunnel +- name: Copy slapd's X.509 certificate + copy: src=certs/ldap/ldap.fripost.org.pem + dest=/etc/stunnel/certs/ldap.fripost.org.pem + owner=root group=root + mode=0644 + register: r2 + notify: + - Restart stunnel + - name: Configure stunnel copy: src=etc/stunnel/stunnel.conf dest=/etc/stunnel/stunnel.conf owner=root group=root mode=0644 - register: r2 + register: r3 notify: - Restart stunnel - name: Start stunnel service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 5bff410..8251841 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -47,6 +47,7 @@ server { error_log /var/log/nginx/roundcube.error.log info; index index.php; + client_max_body_size 64m; location = /index.php { include fastcgi/php; include fastcgi/php-ssl; diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 558f062..ebe93c8 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -33,7 +33,7 @@ - { var: default_port, value: "143" } - { var: imap_auth_type, value: "'plain'" } - { var: imap_cache, value: "null" } - - { var: messages_cache, value: "FALSE" } + - { var: messages_cache, value: "null" } # SMTP - { var: smtp_server, value: "'localhost'" } - { var: smtp_port, value: "2580" } diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2 index 048302a..9d535c6 100644 --- a/roles/webmail/templates/etc/postfix/main.cf.j2 +++ b/roles/webmail/templates/etc/postfix/main.cf.j2 @@ -91,12 +91,13 @@ smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain +smtpd_relay_restrictions = + permit_mynetworks + reject + smtpd_recipient_restrictions = - # RFC requirements reject_non_fqdn_recipient reject_unknown_recipient_domain - permit_mynetworks - reject smtpd_data_restrictions = reject_unauth_pipelining |