roundube: Pin X.509 certificate for sieve.fripost.org:4190.

2 files changed, 11 insertions, 6 deletions

diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index eb04ba1..e416656 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -10,41 +10,40 @@
 - name: Install GNU Aspell and some dictionaries
   apt: pkg={{ item }}
   with_items:
     - aspell
     - aspell-da
     - aspell-de
     - aspell-en
     - aspell-es
     - aspell-fr
     - aspell-no
     - aspell-sv
 
 - name: Install Roundcube
   apt: pkg={{ item }} default_release={{ ansible_lsb.codename }}-backports
   with_items:
     - roundcube-core
     - roundcube-mysql
     - roundcube-plugins
     - php-net-sieve
     - php-net-ldap3
-    - php-mail-mimedecode
 
 - name: Copy fripost's logo
   copy: src=usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png
         dest=/usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png
         owner=root group=root
         mode=0644
   with_items:
     - classic
     - larry
 
 - name: Configure Roundcube
   lineinfile: dest=/etc/roundcube/config.inc.php
               regexp='^\\s*\\$config\\[\'{{ item.var }}\'\\]\\s*='
               line='$config[\'{{ item.var }}\'] = {{ item.value }};'
               owner=root group=www-data
               mode=0640
   with_items:
     # Logging/Debugging
     - { var: smtp_log,               value: "false" }
     # IMAP
@@ -80,43 +79,50 @@
 
 - name: Make the logo a hyperlink to the website
   lineinfile: dest=/usr/share/roundcube/skins/{{ item }}/templates/login.html
               regexp='^(<roundcube:object name="logo" src="/images/roundcube_logo.png"[^>]* />)$'
               line='<a href="https://fripost.org">\1</a>'
               backrefs=yes
               owner=root group=root
               mode=0644
   with_items:
     - classic
     - larry
 
 - name: Configure Roundcube plugins
   copy: src=etc/roundcube/plugins/{{ item }}/config.inc.php
         dest=/etc/roundcube/plugins/{{ item }}/config.inc.php
         owner=root group=root
         mode=0644
   with_items:
     - additional_message_headers
     - jqueryui
-    - managesieve
     - password
 
+- name: Configure Roundcube plugins (2)
+  template: src=etc/roundcube/plugins/{{ item }}/config.inc.php.j2
+            dest=/etc/roundcube/plugins/{{ item }}/config.inc.php
+            owner=root group=root
+            mode=0644
+  with_items:
+    - managesieve
+
 - name: Start php5-fpm
   service: name=php5-fpm state=started
 
 - name: Copy /etc/nginx/sites-available/roundcube
   copy: src=etc/nginx/sites-available/roundcube
         dest=/etc/nginx/sites-available/roundcube
         owner=root group=root
         mode=0644
   register: r1
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/roundcube
   file: src=../sites-available/roundcube
         dest=/etc/nginx/sites-enabled/roundcube
         owner=root group=root
         state=link force=yes
   register: r2
   notify:
     - Restart Nginx
diff --git a/roles/webmail/files/etc/roundcube/plugins/managesieve/config.inc.php b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
index 9c9b3fc..6ad7343 100644
--- a/roles/webmail/files/etc/roundcube/plugins/managesieve/config.inc.php
+++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
@@ -9,52 +9,51 @@ $config['managesieve_port'] = 4190;
 // %h - user's IMAP hostname
 // %n - http hostname ($_SERVER['SERVER_NAME'])
 // %d - domain (http hostname without the first part)
 // For example %n = mail.domain.tld, %d = domain.tld
 $config['managesieve_host'] = 'sieve.fripost.org';
 
 // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
 // or none. Optional, defaults to best method supported by server.
 $config['managesieve_auth_type'] = 'PLAIN';
 
 // Optional managesieve authentication identifier to be used as authorization proxy.
 // Authenticate as a different user but act on behalf of the logged in user.
 // Works with PLAIN and DIGEST-MD5 auth.
 $config['managesieve_auth_cid'] = null;
 
 // Optional managesieve authentication password to be used for imap_auth_cid
 $config['managesieve_auth_pw'] = null;
 
 // use or not TLS for managesieve server connection
 // Note: tls:// prefix in managesieve_host is also supported
-$config['managesieve_usetls'] = false;
+$config['managesieve_usetls'] = true;
 
 // Connection scket context options
 // See http://php.net/manual/en/context.ssl.php
 // The example below enables server certificate validation
 $config['managesieve_conn_options'] = array(
   'ssl'         => array(
      'verify_peer' => true,
-     'verify_depth' => 3,
-     'cafile' => '/etc/stunnel/certs/imap.fripost.org.pem',
      'disable_compression' => true,
-     'ciphers' => 'EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL',
+     'ciphers' => 'EECDH+AES!MEDIUM!LOW!EXP!aNULL!eNULL',
+     'peer_fingerprint' => array('sha1' => '{{ lookup('pipe', 'openssl x509 -in certs/public/imap.fripost.org.pem -noout -fingerprint -sha1 | sed "s/[^=]*=\s*//" | tr -d :') }}'),
    ),
  );
 
 // default contents of filters script (eg. default spam filter)
 $config['managesieve_default'] = '/etc/dovecot/sieve/global';
 
 // The name of the script which will be used when there's no user script
 $config['managesieve_script_name'] = 'managesieve';
 
 // Sieve RFC says that we should use UTF-8 endcoding for mailbox names,
 // but some implementations does not covert UTF-8 to modified UTF-7.
 // Defaults to UTF7-IMAP
 $config['managesieve_mbox_encoding'] = 'UTF-8';
 
 // I need this because my dovecot (with listescape plugin) uses
 // ':' delimiter, but creates folders with dot delimiter
 $config['managesieve_replace_delimiter'] = '';
 
 // disabled sieve extensions (body, copy, date, editheader, encoded-character,
 // envelope, environment, ereject, fileinto, ihave, imap4flags, index,