diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-02 17:54:24 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:52:15 +0200 |
| commit | 7a5cc5032b036f110a19b899cfc264065b473ed1 (patch) | |
| tree | e3b0960dea5ee0203dda36013adf2fcaba4c8a8f /roles/IMAP-proxy/tasks | |
| parent | 7becb5c762df5089bb0c4ff5a7f2fb026379fcb3 (diff) | |
Use stunnel to secure the connection from the IMAP proxy to the IMAP server.
The reason is that we don't want to rely on CAs to verify the
certificate of our server. Dovecot currently doesn't offer a way to
match said cert against a local copy or known fingerprint. stunnel
does.
Diffstat (limited to 'roles/IMAP-proxy/tasks')
| -rw-r--r-- | roles/IMAP-proxy/tasks/main.yml | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml index bb6e5be..73a0dee 100644 --- a/roles/IMAP-proxy/tasks/main.yml +++ b/roles/IMAP-proxy/tasks/main.yml @@ -40,3 +40,49 @@ when: not r.changed - meta: flush_handlers + + +- name: Install stunnel + apt: pkg=stunnel4 + +- name: Auto-enable stunnel + lineinfile: dest=/etc/default/stunnel4 + regexp='^(\s*#)?\s*ENABLED=' + line='ENABLED=1' + owner=root group=root + mode=0644 + +- name: Create /etc/stunnel/certs + file: path=/etc/stunnel/certs + state=directory + owner=root group=root + mode=0755 + +- name: Copy Dovecot's X.509 certificate + # XXX: it's unfortunate that we have to store the whole CA chain... + # for some reason stunnel's level 4 "verify" (CA chain and only verify + # peer certificate) doesn't always work: + # https://www.stunnel.org/pipermail/stunnel-users/2013-July/004249.html + assemble: src=certs/dovecot + remote_src=no + dest=/etc/stunnel/certs/imap.fripost.org.pem + owner=root group=root + mode=0644 + register: r1 + notify: + - Restart stunnel + +- name: Configure stunnel + copy: src=etc/stunnel/stunnel.conf + dest=/etc/stunnel/stunnel.conf + owner=root group=root + mode=0644 + register: r2 + notify: + - Restart stunnel + +- name: Start stunnel + service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started + when: not (r1.changed or r2.changed) + +- meta: flush_handlers |