summaryrefslogtreecommitdiffstats
path: root/roles/IMAP-proxy/files/etc/stunnel
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-02 17:54:24 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:15 +0200
commit7a5cc5032b036f110a19b899cfc264065b473ed1 (patch)
treee3b0960dea5ee0203dda36013adf2fcaba4c8a8f /roles/IMAP-proxy/files/etc/stunnel
parent7becb5c762df5089bb0c4ff5a7f2fb026379fcb3 (diff)
Use stunnel to secure the connection from the IMAP proxy to the IMAP server.
The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does.
Diffstat (limited to 'roles/IMAP-proxy/files/etc/stunnel')
-rw-r--r--roles/IMAP-proxy/files/etc/stunnel/stunnel.conf57
1 files changed, 57 insertions, 0 deletions
diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
new file mode 100644
index 0000000..026bc30
--- /dev/null
+++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
@@ -0,0 +1,57 @@
+; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
+; Some options used here may be inadequate for your particular configuration
+; This sample file does *not* represent stunnel.conf defaults
+; Please consult the manual for detailed description of available options
+
+; **************************************************************************
+; * Global options *
+; **************************************************************************
+
+; A copy of some devices and system files is needed within the chroot jail
+; Chroot conflicts with configuration file reload and many other features
+; Remember also to update the logrotate configuration.
+;chroot = /var/lib/stunnel4/
+; Chroot jail can be escaped if setuid option is not used
+setuid = stunnel4
+setgid = stunnel4
+
+; PID is created inside the chroot jail
+pid = /var/run/stunnel4/stunnel4.pid
+
+; Debugging stuff (may useful for troubleshooting)
+debug = 4
+;output = /var/log/stunnel4/stunnel.log
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections *
+; **************************************************************************
+
+; Certificate/key is needed in server mode and optional in client mode
+;cert = /etc/stunnel/mail.pem
+;key = /etc/stunnel/mail.pem
+client = yes
+socket = a:SO_BINDTODEVICE=lo
+
+; Authentication stuff needs to be configured to prevent MITM attacks
+verify = 4
+
+; Disable support for insecure SSLv2 protocol
+options = NO_SSLv2
+; Workaround for Eudora bug
+;options = DONT_INSERT_EMPTY_FRAGMENTS
+
+; These options provide additional security at some performance degradation
+;options = SINGLE_ECDH_USE
+;options = SINGLE_DH_USE
+
+; **************************************************************************
+; * Service definitions (remove all services for inetd mode) *
+; **************************************************************************
+
+[imaps]
+accept = localhost:993
+connect = imap.fripost.org:993
+CAfile = /etc/stunnel/certs/imap.fripost.org.pem
+ciphers = ECDH+AES:DH+AES
+
+; vim:ft=dosini