summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-02 17:54:24 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:15 +0200
commit7a5cc5032b036f110a19b899cfc264065b473ed1 (patch)
treee3b0960dea5ee0203dda36013adf2fcaba4c8a8f
parent7becb5c762df5089bb0c4ff5a7f2fb026379fcb3 (diff)
Use stunnel to secure the connection from the IMAP proxy to the IMAP server.
The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does.
-rw-r--r--roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf4
-rw-r--r--roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext2
-rw-r--r--roles/IMAP-proxy/files/etc/stunnel/stunnel.conf57
-rw-r--r--roles/IMAP-proxy/handlers/main.yml3
-rw-r--r--roles/IMAP-proxy/tasks/main.yml46
-rw-r--r--roles/IMAP/tasks/imap.yml10
6 files changed, 119 insertions, 3 deletions
diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf
index 242762e..ea39a32 100644
--- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf
+++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf
@@ -4,8 +4,8 @@
# http://wiki2.dovecot.org/HowTo/ImapcProxy
# http://wiki2.dovecot.org/Migration/Dsync
-imapc_host = imap.fripost.org
-imapc_port = 143
+imapc_host = localhost
+imapc_port = 993
# Read multiple mails in parallel, improves performance
mail_prefetch_count = 20
diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext
index e292092..7ab096f 100644
--- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext
+++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext
@@ -4,7 +4,7 @@
passdb {
driver = imap
- args = host=imap.fripost.org port=143
+ args = host=localhost port=993
default_fields = userdb_imapc_password=%w
}
diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
new file mode 100644
index 0000000..026bc30
--- /dev/null
+++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
@@ -0,0 +1,57 @@
+; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
+; Some options used here may be inadequate for your particular configuration
+; This sample file does *not* represent stunnel.conf defaults
+; Please consult the manual for detailed description of available options
+
+; **************************************************************************
+; * Global options *
+; **************************************************************************
+
+; A copy of some devices and system files is needed within the chroot jail
+; Chroot conflicts with configuration file reload and many other features
+; Remember also to update the logrotate configuration.
+;chroot = /var/lib/stunnel4/
+; Chroot jail can be escaped if setuid option is not used
+setuid = stunnel4
+setgid = stunnel4
+
+; PID is created inside the chroot jail
+pid = /var/run/stunnel4/stunnel4.pid
+
+; Debugging stuff (may useful for troubleshooting)
+debug = 4
+;output = /var/log/stunnel4/stunnel.log
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections *
+; **************************************************************************
+
+; Certificate/key is needed in server mode and optional in client mode
+;cert = /etc/stunnel/mail.pem
+;key = /etc/stunnel/mail.pem
+client = yes
+socket = a:SO_BINDTODEVICE=lo
+
+; Authentication stuff needs to be configured to prevent MITM attacks
+verify = 4
+
+; Disable support for insecure SSLv2 protocol
+options = NO_SSLv2
+; Workaround for Eudora bug
+;options = DONT_INSERT_EMPTY_FRAGMENTS
+
+; These options provide additional security at some performance degradation
+;options = SINGLE_ECDH_USE
+;options = SINGLE_DH_USE
+
+; **************************************************************************
+; * Service definitions (remove all services for inetd mode) *
+; **************************************************************************
+
+[imaps]
+accept = localhost:993
+connect = imap.fripost.org:993
+CAfile = /etc/stunnel/certs/imap.fripost.org.pem
+ciphers = ECDH+AES:DH+AES
+
+; vim:ft=dosini
diff --git a/roles/IMAP-proxy/handlers/main.yml b/roles/IMAP-proxy/handlers/main.yml
index 45f817d..5249a7e 100644
--- a/roles/IMAP-proxy/handlers/main.yml
+++ b/roles/IMAP-proxy/handlers/main.yml
@@ -1,3 +1,6 @@
---
+- name: Restart stunnel
+ service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted
+
- name: Restart Dovecot
service: name=dovecot state=restarted
diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml
index bb6e5be..73a0dee 100644
--- a/roles/IMAP-proxy/tasks/main.yml
+++ b/roles/IMAP-proxy/tasks/main.yml
@@ -40,3 +40,49 @@
when: not r.changed
- meta: flush_handlers
+
+
+- name: Install stunnel
+ apt: pkg=stunnel4
+
+- name: Auto-enable stunnel
+ lineinfile: dest=/etc/default/stunnel4
+ regexp='^(\s*#)?\s*ENABLED='
+ line='ENABLED=1'
+ owner=root group=root
+ mode=0644
+
+- name: Create /etc/stunnel/certs
+ file: path=/etc/stunnel/certs
+ state=directory
+ owner=root group=root
+ mode=0755
+
+- name: Copy Dovecot's X.509 certificate
+ # XXX: it's unfortunate that we have to store the whole CA chain...
+ # for some reason stunnel's level 4 "verify" (CA chain and only verify
+ # peer certificate) doesn't always work:
+ # https://www.stunnel.org/pipermail/stunnel-users/2013-July/004249.html
+ assemble: src=certs/dovecot
+ remote_src=no
+ dest=/etc/stunnel/certs/imap.fripost.org.pem
+ owner=root group=root
+ mode=0644
+ register: r1
+ notify:
+ - Restart stunnel
+
+- name: Configure stunnel
+ copy: src=etc/stunnel/stunnel.conf
+ dest=/etc/stunnel/stunnel.conf
+ owner=root group=root
+ mode=0644
+ register: r2
+ notify:
+ - Restart stunnel
+
+- name: Start stunnel
+ service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
+ when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index 3e93c53..be451ef 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -82,6 +82,16 @@
tags:
- genkey
+- name: Fetch Dovecot's X.509 certificate
+ # Ensure we don't fetch private data
+ sudo: False
+ fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem
+ dest=certs/dovecot/
+ fail_on_missing=yes
+ flat=yes
+ tags:
+ - genkey
+
- name: Configure Dovecot
copy: src=etc/dovecot/{{ item }}
dest=/etc/dovecot/{{ item }}