diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2013-12-15 23:46:29 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:51:26 +0200 |
commit | 7fe517c328906d0f962c3dc33d7bc773f2348bb4 (patch) | |
tree | d8e56323c10cd32952d5b473d4ee56d605375c7d | |
parent | 540779286a899dee846784a8ffd0fdab756ac1e3 (diff) |
Configure the webmail.
19 files changed, 506 insertions, 2 deletions
@@ -6,3 +6,4 @@ - include: IMAP.yml - include: MX.yml - include: MSA.yml +- include: webmail.yml diff --git a/group_vars/all.yml b/group_vars/all.yml index 26448c4..5755086 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -7,6 +7,7 @@ postfix_instance: MX: { name: mx, group: mta } MTA-out: { name: mta-out,group: mta } MSA: { name: msa } + webmail: { name: webmail } MTA_out: { IPv4: outgoing.fripost.org, port: 2525 } LDA: { IPv4: lda.fripost.org, port: 2526 } diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf index 51ed7c6..d477d01 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf @@ -18,6 +18,7 @@ service imap-login { inet_listener imap { address = 172.16.0.1 port = 143 + ssl = no } inet_listener imaps { port = 993 diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index a733e94..4eabe53 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -5,6 +5,14 @@ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = required +# No need for SSL if the packets are protected by IPSec. +local 172.16.0.1 { + protocol imap { + disable_plaintext_auth = no + ssl = no + } +} + # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed diff --git a/roles/common/files/etc/fail2ban/filter.d/roundcube.conf b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf new file mode 100644 index 0000000..c8cb5d3 --- /dev/null +++ b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf @@ -0,0 +1,16 @@ +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "<HOST>" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) +# Values: TEXT +# +failregex = IMAP Error: Login failed for \S+ from <HOST>\. AUTHENTICATE \S+: Authentication failed\. + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf index 3540e32..38b2ecb 100644 --- a/roles/common/files/etc/postfix/master.cf +++ b/roles/common/files/etc/postfix/master.cf @@ -11,6 +11,7 @@ smtp inet n - - - - smtpd 16132 inet n - - - - smtpd 2526 inet n - - - - smtpd +2580 inet n - - - - smtpd submission inet n - - - - smtpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml index d5007b9..be26c79 100644 --- a/roles/common/tasks/fail2ban.yml +++ b/roles/common/tasks/fail2ban.yml @@ -1,17 +1,28 @@ - name: Install fail2ban apt: pkg=fail2ban +- name: Add addititional filters + copy: src=etc/fail2ban/filter.d/{{ item }} + dest=/etc/fail2ban/filter.d/{{ item }} + owner=root group=root + mode=0644 + register: r1 + with_items: + - roundcube.conf + notify: + - Restart fail2ban + - name: Configure fail2ban template: src=etc/fail2ban/jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=0644 - register: r + register: r2 notify: - Restart fail2ban - name: Start fail2ban service: name=fail2ban state=started - when: not r.changed + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 661c862..7c5bc0e 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -81,3 +81,13 @@ port = submission filter = sasl logpath = /var/log/mail.warn {% endif %} + + +{% if 'webmail' in group_names %} +[roundcube] + +enabled = true +port = http,https +filter = roundcube +logpath = /var/log/roundcube/errors +{% endif %} diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 2a36932..3ddb87e 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -25,3 +25,6 @@ in tcp 993 # IMAPS {% if 'MSA' in group_names %} in tcp 587 # SMTP-AUTH {% endif %} +{% if 'webmail' in group_names %} +in tcp 80,443 # HTTP/HTTPS +{% endif %} diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube new file mode 100644 index 0000000..72f5a40 --- /dev/null +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -0,0 +1,69 @@ +server { + + listen 80; + listen [::]:80 ipv6only=on; + + server_name mail.fripost.org; + + access_log /var/log/nginx/roundcube.access.log; + error_log /var/log/nginx/roundcube.error.log info; + + return 301 https://$http_host$request_uri; +} + + +server { + listen 443; + listen [::]:443 ipv6only=on; + + server_name mail.fripost.org; + root /var/lib/roundcube; + + include ssl/config; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + location = /favicon.ico { + root /usr/share/roundcube/skins/default/images; + log_not_found off; + access_log off; + expires max; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Deny all attempts to access hidden files, or files under hidden + # directories. + location ~ /\. { return 404; } + + access_log /var/log/nginx/roundcube.access.log; + error_log /var/log/nginx/roundcube.error.log info; + + index index.php; + location = /index.php { + include fastcgi/php; + include fastcgi/php-ssl; + + # From /var/lib/roundcube/.htaccess + fastcgi_param PHP_VALUE "upload_max_filesize=25M + post_max_size=30M + memory_limit=64M + session.gc_maxlifetime=21600 + session.gc_divisor=500 + session.gc_probability=1"; + fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/usr/share/roundcube:/etc/roundcube:/var/log/roundcube:/usr/share/php:/usr/share/misc/magic + upload_tmp_dir=$document_root/temp"; + } + + # Security rules + location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + return 404; + } + location ~ ^/(bin|SQL)/ { + return 404; + } +} diff --git a/roles/webmail/files/var/lib/roundcube/skins/default/images/logo_webmail.png b/roles/webmail/files/var/lib/roundcube/skins/default/images/logo_webmail.png Binary files differnew file mode 100644 index 0000000..7af586a --- /dev/null +++ b/roles/webmail/files/var/lib/roundcube/skins/default/images/logo_webmail.png diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml new file mode 100644 index 0000000..308f708 --- /dev/null +++ b/roles/webmail/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: Restart Postfix + service: name=postfix state=restarted + +- name: Reload Postfix + service: name=postfix state=reloaded + +- name: Restart Nginx + service: name=nginx state=restarted diff --git a/roles/webmail/tasks/mail.yml b/roles/webmail/tasks/mail.yml new file mode 100644 index 0000000..d3fb64e --- /dev/null +++ b/roles/webmail/tasks/mail.yml @@ -0,0 +1,20 @@ +- name: Install Postfix + apt: pkg={{ item }} + with_items: + - postfix + - postfix-pcre + +- name: Configure Postfix + template: src=etc/postfix/main.cf.j2 + dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf + owner=root group=root + mode=0644 + register: r + notify: + - Restart Postfix + +- name: Start Postfix + service: name=postfix state=started + when: not r.changed + +- meta: flush_handlers diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml new file mode 100644 index 0000000..a6eeee2 --- /dev/null +++ b/roles/webmail/tasks/main.yml @@ -0,0 +1,2 @@ +- include: mail.yml tags=postfix,mail +- include: roundcube.yml tags=roundcube,webmail diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml new file mode 100644 index 0000000..e76b896 --- /dev/null +++ b/roles/webmail/tasks/roundcube.yml @@ -0,0 +1,85 @@ +- name: Install Roundcube + apt: pkg={{ item }} + with_items: + - roundcube-core + - roundcube-mysql + - roundcube-plugins + - php5-fpm + - php5-ldap + +- name: Copy fripost's logo + copy: src=var/lib/roundcube/skins/default/images/logo_webmail.png + dest=/var/lib/roundcube/skins/default/images/logo_webmail.png + owner=root group=root + mode=0644 + +- name: Configure Roundcube + lineinfile: dest=/etc/roundcube/main.inc.php + "regexp=^\s*\$rcmail_config\['{{ item.var }}']\s*=" + "line=$rcmail_config['{{ item.var }}'] = {{ item.value }};" + owner=root group=www-data + mode=0640 + with_items: + # Logging/Debugging + - { var: smtp_log, value: "FALSE" } + # IMAP + - { var: default_host, value: "'ssl://imap.fripost.org'" } + - { var: imap_auth_type, value: "'plain'" } + - { var: imap_cache, value: "'db'" } + - { var: message_cache, value: "'db'" } + # SMTP + - { var: smtp_server, value: "localhost" } + - { var: smtp_port, value: "2580" } + # System + - { var: force_https, value: "TRUE" } + - { var: login_autocomplete, value: "2" } + - { var: skin_logo, value: "'skins/default/images/logo_webmail.png'" } + - { var: username_domain, value: "'fripost.org'" } + - { var: product_name, value: "'Fripost'" } + # Plugins + - { var: plugins, value: "array('password','additional_message_headers')" } + # User Interface + - { var: language, value: "'sv_SE'" } + - { var: create_default_folders, value: "TRUE" } + # User Preferences + - { var: htmleditor, value: "TRUE" } + - { var: skip_deleted, value: "TRUE" } + - { var: check_all_folders, value: "FALSE" } + +- name: Make the logo a hyperlink to the website + lineinfile: dest=/usr/share/roundcube/skins/default/templates/login.html + regexp='^(<roundcube:object name="logo" src="/images/roundcube_logo.png" id="logo" border="0" style="margin:0 11px" />)$' + line='<a href="https://fripost.org">\1</a>' + backrefs=yes + owner=root group=root + mode=0644 + +- name: Configure Roundcube plugins + template: src=usr/share/roundcube/plugins/{{ item }}/config.inc.php.j2 + dest=/usr/share/roundcube/plugins/{{ item }}/config.inc.php + owner=root group=root + mode=0644 + with_items: + - password + - additional_message_headers + +- name: Start php5-fpm + service: name=php5-fpm state=started + +- name: Copy /etc/nginx/sites-available/roundcube + copy: src=etc/nginx/sites-available/roundcube + dest=/etc/nginx/sites-available/roundcube + owner=root group=root + mode=0644 + notify: + - Restart Nginx + +- name: Create /etc/nginx/sites-enabled/roundcube + file: src=../sites-available/roundcube + dest=/etc/nginx/sites-enabled/roundcube + owner=root group=root + state=link + notify: + - Restart Nginx + +- meta: flush_handlers diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2 new file mode 100644 index 0000000..fd4ea8e --- /dev/null +++ b/roles/webmail/templates/etc/postfix/main.cf.j2 @@ -0,0 +1,99 @@ +######################################################################## +# Webmail configuration +# +# {{ ansible_managed }} +# Do NOT edit this file directly! + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +mail_owner = postfix + +delay_warning_time = 4h +maximal_queue_lifetime = 5d + +myorigin = /etc/mailname +myhostname = webmail{{ webmailno | default('') }}.$mydomain +mydomain = {{ ansible_domain }} +append_dot_mydomain = no + +# Turn off all TCP/IP listener ports except that necessary for the webmail. +master_service_disable = !2580.inet inet + +queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} +data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} +multi_instance_group = {{ postfix_instance[inst].group | default('') }} +multi_instance_name = postfix-{{ postfix_instance[inst].name }} +multi_instance_enable = yes + +# This server is a nullclient +mynetworks_style = host +inet_interfaces = loopback-only +inet_protocols = all + +# No local delivery +mydestination = +local_transport = error:5.1.1 Mailbox unavailable +alias_maps = +alias_database = +local_recipient_maps = + +message_size_limit = 67108864 +recipient_delimiter = + + +# Forward everything to our internal mailhub +{% if 'MTA-out' in group_names %} +relayhost = [127.0.0.1]:{{ MTA_out.port }} +{% else %} +relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }} +{% endif %} +relay_domains = + +# Don't rewrite remote headers +local_header_rewrite_clients = +# Pass the client information along to the content filter +smtp_send_xforward_command = yes +# Avoid splitting the envelope and scanning messages multiple times +smtp_destination_recipient_limit = 1000 +# Tolerate occasional high latency +smtp_data_done_timeout = 1200s + +# Pass the mail to the antivirus +#content_filter = amavisfeed:unix:public/amavisfeed-antivirus + +# Tunnel everything through IPSec +smtp_tls_security_level = none +smtp_bind_address = 172.16.0.1 +smtpd_tls_security_level = none + + +strict_rfc821_envelopes = yes +smtpd_delay_reject = yes +disable_vrfy_command = yes + +# UCE control +unknown_client_reject_code = 554 + +smtpd_client_restrictions = + permit_mynetworks + reject + +smtpd_helo_required = yes +smtpd_helo_restrictions = + permit_mynetworks + reject_non_fqdn_helo_hostname + reject_invalid_helo_hostname + +smtpd_sender_restrictions = + reject_non_fqdn_sender + reject_unknown_sender_domain + +smtpd_recipient_restrictions = + # RFC requirements + reject_non_fqdn_recipient + reject_unknown_recipient_domain + permit_mynetworks + reject + +smtpd_data_restrictions = + reject_unauth_pipelining diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/additional_message_headers/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/additional_message_headers/config.inc.php.j2 new file mode 100644 index 0000000..e9d0d3d --- /dev/null +++ b/roles/webmail/templates/usr/share/roundcube/plugins/additional_message_headers/config.inc.php.j2 @@ -0,0 +1,14 @@ +<?php + +// $rcmail_config['additional_message_headers']['X-Remote-Browser'] = $_SERVER['HTTP_USER_AGENT']; +$rcmail_config['additional_message_headers']['X-Originating-IP'] = null; +// $rcmail_config['additional_message_headers']['X-RoundCube-Server'] = $_SERVER['SERVER_ADDR']; + +// if( isset( $_SERVER['MACHINE_NAME'] )) { +// $rcmail_config['additional_message_headers']['X-RoundCube-Server'] .= ' (' . $_SERVER['MACHINE_NAME'] . ')'; +// } + +// To remove (e.g. X-Sender) message header use null value +$rcmail_config['additional_message_headers']['X-Sender'] = null; + +?> diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 new file mode 100644 index 0000000..35c73f9 --- /dev/null +++ b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 @@ -0,0 +1,149 @@ +<?php + +// Password Plugin options +// ----------------------- +// A driver to use for password change. Default: "sql". +// See README file for list of supported driver names. +$rcmail_config['password_driver'] = 'ldap_simple'; + +// Determine whether current password is required to change password. +// Default: false. +$rcmail_config['password_confirm_current'] = true; + +// Require the new password to be a certain length. +// set to blank to allow passwords of any length +$rcmail_config['password_minimum_length'] = 12; + +// Require the new password to contain a letter and punctuation character +// Change to false to remove this check. +$rcmail_config['password_require_nonalpha'] = false; + +// Enables logging of password changes into logs/password +$rcmail_config['password_log'] = false; + + +// LDAP and LDAP_SIMPLE Driver options +// ----------------------------------- +// LDAP server name to connect to. +// You can provide one or several hosts in an array in which case the hosts are tried from left to right. +// Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com'); +// Default: 'localhost' +$rcmail_config['password_ldap_host'] = '{{ LDAP_provider }}'; + +// LDAP server port to connect to +// Default: '389' +$rcmail_config['password_ldap_port'] = '389'; + +// TLS is started after connecting +// Using TLS for password modification is recommanded. +// Default: false +$rcmail_config['password_ldap_starttls'] = false; + +// LDAP version +// Default: '3' +$rcmail_config['password_ldap_version'] = '3'; + +// LDAP base name (root directory) +// Exemple: 'dc=exemple,dc=com' +$rcmail_config['password_ldap_basedn'] = 'ou=virtual,o=mailHosting,dc=fripost,dc=org'; + +// LDAP connection method +// There is two connection method for changing a user's LDAP password. +// 'user': use user credential (recommanded, require password_confirm_current=true) +// 'admin': use admin credential (this mode require password_ldap_adminDN and password_ldap_adminPW) +// Default: 'user' +$rcmail_config['password_ldap_method'] = 'user'; + +// LDAP Admin DN +// Used only in admin connection mode +// Default: null +$rcmail_config['password_ldap_adminDN'] = null; + +// LDAP Admin Password +// Used only in admin connection mode +// Default: null +$rcmail_config['password_ldap_adminPW'] = null; + +// LDAP user DN mask +// The user's DN is mandatory and as we only have his login, +// we need to re-create his DN using a mask +// '%login' will be replaced by the current roundcube user's login +// '%name' will be replaced by the current roundcube user's name part +// '%domain' will be replaced by the current roundcube user's domain part +// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com" +// Exemple: 'uid=%login,ou=people,dc=exemple,dc=com' +$rcmail_config['password_ldap_userDN_mask'] = 'fvl=%name,fvd=%domain,ou=virtual,o=mailHosting,dc=fripost,dc=org'; + +// LDAP search DN +// The DN roundcube should bind with to find out user's DN +// based on his login. Note that you should comment out the default +// password_ldap_userDN_mask setting for this to take effect. +// Use this if you cannot specify a general template for user DN with +// password_ldap_userDN_mask. You need to perform a search based on +// users login to find his DN instead. A common reason might be that +// your users are placed under different ou's like engineering or +// sales which cannot be derived from their login only. +$rcmail_config['password_ldap_searchDN'] = null; + +// LDAP search password +// If password_ldap_searchDN is set, the password to use for +// binding to search for user's DN. Note that you should comment out the default +// password_ldap_userDN_mask setting for this to take effect. +// Warning: Be sure to set approperiate permissions on this file so this password +// is only accesible to roundcube and don't forget to restrict roundcube's access to +// your directory as much as possible using ACLs. Should this password be compromised +// you want to minimize the damage. +$rcmail_config['password_ldap_searchPW'] = null; + +// LDAP search base +// If password_ldap_searchDN is set, the base to search in using the filter below. +// Note that you should comment out the default password_ldap_userDN_mask setting +// for this to take effect. +$rcmail_config['password_ldap_search_base'] = null; + +// LDAP search filter +// If password_ldap_searchDN is set, the filter to use when +// searching for user's DN. Note that you should comment out the default +// password_ldap_userDN_mask setting for this to take effect. +// '%login' will be replaced by the current roundcube user's login +// '%name' will be replaced by the current roundcube user's name part +// '%domain' will be replaced by the current roundcube user's domain part +// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com" +// Example: '(uid=%login)' +// Example: '(&(objectClass=posixAccount)(uid=%login))' +$rcmail_config['password_ldap_search_filter'] = null; + +// LDAP password hash type +// Standard LDAP encryption type which must be one of: crypt, +// ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, or clear. +// Please note that most encodage types require external libraries +// to be included in your PHP installation, see function hashPassword in drivers/ldap.php for more info. +// Default: 'crypt' +$rcmail_config['password_ldap_encodage'] = 'ssha'; + +// LDAP password attribute +// Name of the ldap's attribute used for storing user password +// Default: 'userPassword' +$rcmail_config['password_ldap_pwattr'] = 'userPassword'; + +// LDAP password force replace +// Force LDAP replace in cases where ACL allows only replace not read +// See http://pear.php.net/package/Net_LDAP2/docs/latest/Net_LDAP2/Net_LDAP2_Entry.html#methodreplace +// Default: true +$rcmail_config['password_ldap_force_replace'] = true; + +// LDAP Password Last Change Date +// Some places use an attribute to store the date of the last password change +// The date is meassured in "days since epoch" (an integer value) +// Whenever the password is changed, the attribute will be updated if set (e.g. shadowLastChange) +$rcmail_config['password_ldap_lchattr'] = ''; + +// LDAP Samba password attribute, e.g. sambaNTPassword +// Name of the LDAP's Samba attribute used for storing user password +$rcmail_config['password_ldap_samba_pwattr'] = ''; + +// LDAP Samba Password Last Change Date attribute, e.g. sambaPwdLastSet +// Some places use an attribute to store the date of the last password change +// The date is meassured in "seconds since epoch" (an integer value) +// Whenever the password is changed, the attribute will be updated if set +$rcmail_config['password_ldap_samba_lchattr'] = ''; diff --git a/webmail.yml b/webmail.yml new file mode 100644 index 0000000..d8a6a1e --- /dev/null +++ b/webmail.yml @@ -0,0 +1,5 @@ +--- +- name: Configure the webmail + hosts: webmail + roles: + - { role: webmail, inst: webmail } |