summaryrefslogtreecommitdiffstats
path: root/roles/IMAP-proxy/files/etc
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-05-31 04:02:00 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:53:54 +0200
commitb29601e313e8d35ec7edee343c82ca71ed6a3a12 (patch)
tree7b8cf31c97f405fe5b66c675256b962f2770b120 /roles/IMAP-proxy/files/etc
parentfa82a617a0c50b7478cd2b7189aa5f7d14449954 (diff)
Upgrade the webmail configuration from Wheezy to Jessie.
Diffstat (limited to 'roles/IMAP-proxy/files/etc')
-rw-r--r--roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf21
-rw-r--r--roles/IMAP-proxy/files/etc/stunnel/stunnel.conf22
2 files changed, 25 insertions, 18 deletions
diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
index 9c50531..e2225c3 100644
--- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
+++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
@@ -146,13 +146,6 @@ mail_gid = imapproxy
# never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized
-# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
-# whenever needed. If you're using only a single mail server this isn't needed.
-#mail_nfs_storage = no
-# Mail index files also exist in NFS. Setting this to yes requires
-# mmap_disable=yes and fsync_disable=no.
-#mail_nfs_index = no
-
# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
@@ -165,14 +158,14 @@ mail_gid = imapproxy
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
-first_valid_uid = 1
+#first_valid_uid = 500
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
-first_valid_gid = 1
+#first_valid_gid = 1
#last_valid_gid = 0
# Maximum allowed length for mail keyword name. It's only forced when trying
@@ -205,12 +198,16 @@ first_valid_gid = 1
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
-mail_plugins = virtual
+mail_plugins = virtual zlib
##
## Mailbox handling optimizations
##
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+mailbox_list_index = yes
+
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
@@ -262,6 +259,10 @@ mail_plugins = virtual
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
##
## mbox-specific settings
##
diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
index e77b557..f1c2a16 100644
--- a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
+++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
@@ -39,24 +39,30 @@ socket = r:TCP_NODELAY=1
; Authentication stuff needs to be configured to prevent MITM attacks
verify = 4
-; Disable support for insecure SSLv2 protocol
+; Disable support for insecure protocols
options = NO_SSLv2
-; Workaround for Eudora bug
-;options = DONT_INSERT_EMPTY_FRAGMENTS
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
; These options provide additional security at some performance degradation
-;options = SINGLE_ECDH_USE
-;options = SINGLE_DH_USE
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
[imaps]
-accept = localhost:993
+accept = localhost:143
connect = imap.fripost.org:993
CAfile = /etc/stunnel/certs/imap.fripost.org.pem
-options = NO_SSLv3
-ciphers = ECDH+AES:DH+AES
+
+[ldaps]
+accept = localhost:389
+connect = ldap.fripost.org:636
+CAfile = /etc/stunnel/certs/ldap.fripost.org.pem
; vim:ft=dosini