summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-05-31 04:02:00 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:53:54 +0200
commitb29601e313e8d35ec7edee343c82ca71ed6a3a12 (patch)
tree7b8cf31c97f405fe5b66c675256b962f2770b120
parentfa82a617a0c50b7478cd2b7189aa5f7d14449954 (diff)
Upgrade the webmail configuration from Wheezy to Jessie.
-rw-r--r--roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf21
-rw-r--r--roles/IMAP-proxy/files/etc/stunnel/stunnel.conf22
-rw-r--r--roles/IMAP-proxy/tasks/main.yml13
-rw-r--r--roles/webmail/files/etc/nginx/sites-available/roundcube1
-rw-r--r--roles/webmail/tasks/roundcube.yml2
-rw-r--r--roles/webmail/templates/etc/postfix/main.cf.j27
6 files changed, 42 insertions, 24 deletions
diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
index 9c50531..e2225c3 100644
--- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
+++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
@@ -146,13 +146,6 @@ mail_gid = imapproxy
# never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized
-# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
-# whenever needed. If you're using only a single mail server this isn't needed.
-#mail_nfs_storage = no
-# Mail index files also exist in NFS. Setting this to yes requires
-# mmap_disable=yes and fsync_disable=no.
-#mail_nfs_index = no
-
# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
@@ -165,14 +158,14 @@ mail_gid = imapproxy
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
-first_valid_uid = 1
+#first_valid_uid = 500
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
-first_valid_gid = 1
+#first_valid_gid = 1
#last_valid_gid = 0
# Maximum allowed length for mail keyword name. It's only forced when trying
@@ -205,12 +198,16 @@ first_valid_gid = 1
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
-mail_plugins = virtual
+mail_plugins = virtual zlib
##
## Mailbox handling optimizations
##
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+mailbox_list_index = yes
+
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
@@ -262,6 +259,10 @@ mail_plugins = virtual
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
##
## mbox-specific settings
##
diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
index e77b557..f1c2a16 100644
--- a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
+++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
@@ -39,24 +39,30 @@ socket = r:TCP_NODELAY=1
; Authentication stuff needs to be configured to prevent MITM attacks
verify = 4
-; Disable support for insecure SSLv2 protocol
+; Disable support for insecure protocols
options = NO_SSLv2
-; Workaround for Eudora bug
-;options = DONT_INSERT_EMPTY_FRAGMENTS
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
; These options provide additional security at some performance degradation
-;options = SINGLE_ECDH_USE
-;options = SINGLE_DH_USE
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
[imaps]
-accept = localhost:993
+accept = localhost:143
connect = imap.fripost.org:993
CAfile = /etc/stunnel/certs/imap.fripost.org.pem
-options = NO_SSLv3
-ciphers = ECDH+AES:DH+AES
+
+[ldaps]
+accept = localhost:389
+connect = ldap.fripost.org:636
+CAfile = /etc/stunnel/certs/ldap.fripost.org.pem
; vim:ft=dosini
diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml
index 41bb7a3..2ddba96 100644
--- a/roles/IMAP-proxy/tasks/main.yml
+++ b/roles/IMAP-proxy/tasks/main.yml
@@ -73,17 +73,26 @@
notify:
- Restart stunnel
+- name: Copy slapd's X.509 certificate
+ copy: src=certs/ldap/ldap.fripost.org.pem
+ dest=/etc/stunnel/certs/ldap.fripost.org.pem
+ owner=root group=root
+ mode=0644
+ register: r2
+ notify:
+ - Restart stunnel
+
- name: Configure stunnel
copy: src=etc/stunnel/stunnel.conf
dest=/etc/stunnel/stunnel.conf
owner=root group=root
mode=0644
- register: r2
+ register: r3
notify:
- Restart stunnel
- name: Start stunnel
service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
- when: not (r1.changed or r2.changed)
+ when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 5bff410..8251841 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -47,6 +47,7 @@ server {
error_log /var/log/nginx/roundcube.error.log info;
index index.php;
+ client_max_body_size 64m;
location = /index.php {
include fastcgi/php;
include fastcgi/php-ssl;
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 558f062..ebe93c8 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -33,7 +33,7 @@
- { var: default_port, value: "143" }
- { var: imap_auth_type, value: "'plain'" }
- { var: imap_cache, value: "null" }
- - { var: messages_cache, value: "FALSE" }
+ - { var: messages_cache, value: "null" }
# SMTP
- { var: smtp_server, value: "'localhost'" }
- { var: smtp_port, value: "2580" }
diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2
index 048302a..9d535c6 100644
--- a/roles/webmail/templates/etc/postfix/main.cf.j2
+++ b/roles/webmail/templates/etc/postfix/main.cf.j2
@@ -91,12 +91,13 @@ smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
+smtpd_relay_restrictions =
+ permit_mynetworks
+ reject
+
smtpd_recipient_restrictions =
- # RFC requirements
reject_non_fqdn_recipient
reject_unknown_recipient_domain
- permit_mynetworks
- reject
smtpd_data_restrictions =
reject_unauth_pipelining