Use stunnel to secure the connection from the IMAP proxy to the IMAP server.

The reason is that we don't want to rely on CAs to verify the
certificate of our server.  Dovecot currently doesn't offer a way to
match said cert against a local copy or known fingerprint.  stunnel
does.

5 files changed, 109 insertions, 3 deletions

diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf
index 242762e..ea39a32 100644
--- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf
+++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf
@@ -4,8 +4,8 @@
 # http://wiki2.dovecot.org/HowTo/ImapcProxy
 # http://wiki2.dovecot.org/Migration/Dsync
 
-imapc_host = imap.fripost.org
-imapc_port = 143
+imapc_host = localhost
+imapc_port = 993
 
 # Read multiple mails in parallel, improves performance
 mail_prefetch_count = 20
diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext
index e292092..7ab096f 100644
--- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext
+++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext
@@ -4,7 +4,7 @@
 
 passdb {
   driver         = imap
-  args           = host=imap.fripost.org port=143
+  args           = host=localhost port=993
   default_fields = userdb_imapc_password=%w
 }
 
diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
new file mode 100644
index 0000000..026bc30
--- /dev/null
+++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
@@ -0,0 +1,57 @@
+; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
+; Some options used here may be inadequate for your particular configuration
+; This sample file does *not* represent stunnel.conf defaults
+; Please consult the manual for detailed description of available options
+
+; **************************************************************************
+; * Global options                                                         *
+; **************************************************************************
+
+; A copy of some devices and system files is needed within the chroot jail
+; Chroot conflicts with configuration file reload and many other features
+; Remember also to update the logrotate configuration.
+;chroot = /var/lib/stunnel4/
+; Chroot jail can be escaped if setuid option is not used
+setuid = stunnel4
+setgid = stunnel4
+
+; PID is created inside the chroot jail
+pid = /var/run/stunnel4/stunnel4.pid
+
+; Debugging stuff (may useful for troubleshooting)
+debug = 4
+;output = /var/log/stunnel4/stunnel.log
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections  *
+; **************************************************************************
+
+; Certificate/key is needed in server mode and optional in client mode
+;cert = /etc/stunnel/mail.pem
+;key = /etc/stunnel/mail.pem
+client = yes
+socket = a:SO_BINDTODEVICE=lo
+
+; Authentication stuff needs to be configured to prevent MITM attacks
+verify = 4
+
+; Disable support for insecure SSLv2 protocol
+options = NO_SSLv2
+; Workaround for Eudora bug
+;options = DONT_INSERT_EMPTY_FRAGMENTS
+
+; These options provide additional security at some performance degradation
+;options = SINGLE_ECDH_USE
+;options = SINGLE_DH_USE
+
+; **************************************************************************
+; * Service definitions (remove all services for inetd mode)               *
+; **************************************************************************
+
+[imaps]
+accept  = localhost:993
+connect = imap.fripost.org:993
+CAfile  = /etc/stunnel/certs/imap.fripost.org.pem
+ciphers = ECDH+AES:DH+AES
+
+; vim:ft=dosini
diff --git a/roles/IMAP-proxy/handlers/main.yml b/roles/IMAP-proxy/handlers/main.yml
index 45f817d..5249a7e 100644
--- a/roles/IMAP-proxy/handlers/main.yml
+++ b/roles/IMAP-proxy/handlers/main.yml
@@ -1,3 +1,6 @@
 ---
+- name: Restart stunnel
+  service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted
+
 - name: Restart Dovecot
   service: name=dovecot state=restarted
diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml
index bb6e5be..73a0dee 100644
--- a/roles/IMAP-proxy/tasks/main.yml
+++ b/roles/IMAP-proxy/tasks/main.yml
@@ -40,3 +40,49 @@
   when: not r.changed
 
 - meta: flush_handlers
+
+
+- name: Install stunnel
+  apt: pkg=stunnel4
+
+- name: Auto-enable stunnel
+  lineinfile: dest=/etc/default/stunnel4
+              regexp='^(\s*#)?\s*ENABLED='
+              line='ENABLED=1'
+              owner=root group=root
+              mode=0644
+
+- name: Create /etc/stunnel/certs
+  file: path=/etc/stunnel/certs
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy Dovecot's X.509 certificate
+  # XXX: it's unfortunate that we have to store the whole CA chain...
+  # for some reason stunnel's level 4 "verify" (CA chain and only verify
+  # peer certificate) doesn't always work:
+  # https://www.stunnel.org/pipermail/stunnel-users/2013-July/004249.html
+  assemble: src=certs/dovecot
+            remote_src=no
+            dest=/etc/stunnel/certs/imap.fripost.org.pem
+            owner=root group=root
+            mode=0644
+  register: r1
+  notify:
+    - Restart stunnel
+
+- name: Configure stunnel
+  copy: src=etc/stunnel/stunnel.conf
+        dest=/etc/stunnel/stunnel.conf
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart stunnel
+
+- name: Start stunnel
+  service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
+  when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers