dovecot: also listen on the virtual IP dedicated to IPSec.

(On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection.
author: Guilhem Moulin <guilhem@fripost.org> 2016-05-22 18:02:37 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-05-22 18:02:37 +0200
commit: 73b2a602ee85706b2a1797632142058c6253ea5d (patch)
tree: d764d4483f1d7f2be1ff7df431d632afc8788648
parent: b536632f32d81dceb11f2b7ebf2ec1a284498901 (diff)
2 files changed, 17 insertions, 7 deletions
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index 39dc573..a596c42 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -79,70 +79,79 @@
 
 - name: Fetch Dovecot's X.509 certificate
   # Ensure we don't fetch private data
   become: False
   fetch_cmd: cmd="openssl x509"
              stdin=/etc/dovecot/ssl/imap.fripost.org.pem
              dest=certs/public/imap.fripost.org.pem
   tags:
     - genkey
 
 - name: Configure Dovecot
   copy: src=etc/dovecot/{{ item }}
         dest=/etc/dovecot/{{ item }}
         owner=root group=root
         mode=0644
   register: r1
   with_items:
     - conf.d/10-auth.conf
     - conf.d/10-logging.conf
     - conf.d/10-mail.conf
-    - conf.d/10-master.conf
     - conf.d/10-ssl.conf
     - conf.d/15-mailboxes.conf
     - conf.d/20-imap.conf
     - conf.d/20-lmtp.conf
     - conf.d/90-plugin.conf
     - conf.d/90-sieve.conf
     - conf.d/auth-ldap.conf.ext
     - dovecot-ldap.conf.ext
     - dovecot-ldap-userdb.conf.ext
   notify:
     - Restart Dovecot
 
+- name: Configure Dovecot (2)
+  template: src=etc/dovecot/{{ item }}.j2
+            dest=/etc/dovecot/{{ item }}
+            owner=root group=root
+            mode=0644
+  register: r2
+  with_items:
+    - conf.d/10-master.conf
+  notify:
+    - Restart Dovecot
+
 - name: Tell Dovecot we have a remote IMAP proxy
-  # XXX: we should have an automatic lookup here
   lineinfile: dest=/etc/dovecot/dovecot.conf
               regexp='^(\s*#)?\s*login_trusted_networks\s*='
-              line='login_trusted_networks = 171.25.193.76/32'
+              line="login_trusted_networks = {{ ipsec_subnet }}"
               state=present
               create=yes
               owner=root group=root
               mode=0644
-  register: r2
-  when: "'IMAP' in group_names and 'webmail' not in group_names"
+  register: r3
+  when: "groups.all | length > 1"
   notify:
     - Restart Dovecot
 
 - name: Start Dovecot
   service: name=dovecot state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
 
 
 - name: Install 'dovecot_stats_' Munin wildcard plugin
   file: src=/usr/local/share/munin/plugins/dovecot_stats_
         dest=/etc/munin/plugins/dovecot_stats_fripost.org
         owner=root group=root
         state=link force=yes
   tags:
     - munin
     - munin-node
   notify:
     - Restart munin-node
 
 - name: Install 'dovecot_logins' and 'dovecot_who' Munin plugin
   file: src=/usr/local/share/munin/plugins/{{ item }}
         dest=/etc/munin/plugins/{{ item }}
         owner=root group=root
         state=link force=yes
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2
index 9fcc549..4969550 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
+++ b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2
@@ -1,39 +1,40 @@
 #default_process_limit = 100
 #default_client_limit = 1000
 
 # Default VSZ (virtual memory size) limit for service processes. This is mainly
 # intended to catch and kill processes that leak memory before they eat up
 # everything.
 #default_vsz_limit = 256M
 
 # Login user is internally used by login processes. This is the most untrusted
 # user in Dovecot system. It shouldn't have access to anything at all.
 #default_login_user = dovenull
 
 # Internal user is used by unprivileged processes. It should be separate from
 # login user, so that login processes can't disturb other processes.
 #default_internal_user = dovecot
 
 service imap-login {
   inet_listener imap {
-    port = 0
+    address = {{ ipsec[inventory_hostname_short] }}
+    port = 143
   }
   inet_listener imaps {
     #port = 993
     #ssl = yes
   }
 
   # Number of connections to handle before starting a new process. Typically
   # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
   # is faster. <doc/wiki/LoginProcess.txt>
   #service_count = 1
 
   # Max. number of IMAP processes (logins)
   process_limit = 256
 
   # Number of processes to always keep waiting for more connections.
   process_min_avail = 4
 
   # If you set service_count=0, you probably need to grow this.
   #vsz_limit = $default_vsz_limit
 }
author	Guilhem Moulin <guilhem@fripost.org>	2016-05-22 18:02:37 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-05-22 18:02:37 +0200
commit	73b2a602ee85706b2a1797632142058c6253ea5d (patch)
tree	d764d4483f1d7f2be1ff7df431d632afc8788648
parent	b536632f32d81dceb11f2b7ebf2ec1a284498901 (diff)