summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-06-05 17:30:00 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-06-05 17:33:25 +0200
commit17d7427e0bc5e61ee10e28cbc5cba5b8a7566d58 (patch)
tree00dc894e22ab7221e908faeac98095835b0a0782
parent57e40efc54c230566fd5f6bd10d25692709909b7 (diff)
Use stunnel to secure the connection from the webmail to ldap.fripost.org.
We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
-rw-r--r--roles/common/tasks/main.yml1
-rw-r--r--roles/webmail/files/etc/stunnel/ldap.conf57
-rw-r--r--roles/webmail/handlers/main.yml3
-rw-r--r--roles/webmail/tasks/ldap.yml32
-rw-r--r--roles/webmail/tasks/main.yml6
5 files changed, 99 insertions, 0 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 04681bd..e419bf3 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -15,6 +15,7 @@
- include: stunnel.yml
tags: stunnel
+ when: "'webmail' in group_names and ('LDAP-provider' not in group_names or 'out' not in group_names)"
- include: samhain.yml
tags: samhain
- include: auditd.yml
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf
new file mode 100644
index 0000000..1149bce
--- /dev/null
+++ b/roles/webmail/files/etc/stunnel/ldap.conf
@@ -0,0 +1,57 @@
+; **************************************************************************
+; * Global options *
+; **************************************************************************
+
+; setuid()/setgid() to the specified user/group in daemon mode
+setuid = stunnel4
+setgid = stunnel4
+
+; PID is created inside the chroot jail
+pid =
+foreground = yes
+
+; Only log messages at severity warning (4) and higher
+debug = 4
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections *
+; **************************************************************************
+
+; Certificate/key is needed in server mode and optional in client mode
+;cert = /etc/stunnel/mail.pem
+;key = /etc/stunnel/mail.pem
+client = yes
+socket = a:SO_BINDTODEVICE=lo
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+
+; Prevent MITM attacks
+verify = 4
+
+; Disable support for insecure protocols
+options = NO_SSLv2
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
+
+options = NO_COMPRESSION
+
+; These options provide additional security at some performance degradation
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+; Select permitted SSL ciphers
+ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+
+; **************************************************************************
+; * Service definitions (remove all services for inetd mode) *
+; **************************************************************************
+
+[ldaps]
+accept = localhost:389
+connect = ldap.fripost.org:636
+CAfile = /etc/stunnel/certs/ldap.pem
+
+; vim:ft=dosini
diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml
index 6009de0..17a0dc4 100644
--- a/roles/webmail/handlers/main.yml
+++ b/roles/webmail/handlers/main.yml
@@ -2,5 +2,8 @@
- name: Restart stunnel@smtp
service: name=stunnel4@smtp state=restarted
+- name: Restart stunnel@ldap
+ service: name=stunnel4@ldap state=restarted
+
- name: Restart Nginx
service: name=nginx state=restarted
diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml
new file mode 100644
index 0000000..6df3324
--- /dev/null
+++ b/roles/webmail/tasks/ldap.yml
@@ -0,0 +1,32 @@
+- name: Create /etc/stunnel/certs
+ file: path=/etc/stunnel/certs
+ state=directory
+ owner=root group=root
+ mode=0755
+
+- name: Copy the ldap's X.509 certificate
+ copy: src=certs/ldap/ldap.fripost.org.pem
+ dest=/etc/stunnel/certs/ldap.pem
+ owner=root group=root
+ mode=0644
+ register: r1
+ notify:
+ - Restart stunnel@ldap
+
+- name: Configure stunnel
+ copy: src=etc/stunnel/ldap.conf
+ dest=/etc/stunnel/ldap.conf
+ owner=root group=root
+ mode=0644
+ register: r2
+ notify:
+ - Restart stunnel@ldap
+
+- name: Enable stunnel@ldap
+ service: name=stunnel4@ldap enabled=yes
+
+- name: Start stunnel@ldap
+ service: name=stunnel4@ldap state=started
+ when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers
diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml
index 8ee50bd..9c40a34 100644
--- a/roles/webmail/tasks/main.yml
+++ b/roles/webmail/tasks/main.yml
@@ -3,6 +3,12 @@
tags:
- postfix
- mail
+ - stunnel
+- include: ldap.yml
+ when: "'LDAP-provider' not in group_names"
+ tags:
+ - ldap
+ - stunnel
- include: roundcube.yml
tags:
- roundcube