Upgrade the webmail configuration from Wheezy to Jessie.

3 files changed, 36 insertions, 20 deletions

diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
index 9c50531..e2225c3 100644
--- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
+++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
@@ -146,13 +146,6 @@ mail_gid = imapproxy
 #   never: Never use it (best performance, but crashes can lose data)
 #mail_fsync = optimized
 
-# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
-# whenever needed. If you're using only a single mail server this isn't needed.
-#mail_nfs_storage = no
-# Mail index files also exist in NFS. Setting this to yes requires
-# mmap_disable=yes and fsync_disable=no.
-#mail_nfs_index = no
-
 # Locking method for index files. Alternatives are fcntl, flock and dotlock.
 # Dotlocking uses some tricks which may create more disk I/O than other locking
 # methods. NFS users: flock doesn't work, remember to change mmap_disable.
@@ -165,14 +158,14 @@ mail_gid = imapproxy
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
-first_valid_uid = 1
+#first_valid_uid = 500
 #last_valid_uid = 0
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
-first_valid_gid = 1
+#first_valid_gid = 1
 #last_valid_gid = 0
 
 # Maximum allowed length for mail keyword name. It's only forced when trying
@@ -205,12 +198,16 @@ first_valid_gid = 1
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-mail_plugins = virtual
+mail_plugins = virtual zlib
 
 ##
 ## Mailbox handling optimizations
 ##
 
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+mailbox_list_index = yes
+
 # The minimum number of mails in a mailbox before updates are done to cache
 # file. This allows optimizing Dovecot's behavior to do less disk writes at
 # the cost of more disk reads.
@@ -262,6 +259,10 @@ mail_plugins = virtual
 # broken size. The performance hit for enabling this is very small.
 #maildir_broken_filename_sizes = no
 
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
 ##
 ## mbox-specific settings
 ##
diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
index e77b557..f1c2a16 100644
--- a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
+++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
@@ -39,24 +39,30 @@ socket = r:TCP_NODELAY=1
 ; Authentication stuff needs to be configured to prevent MITM attacks
 verify = 4
 
-; Disable support for insecure SSLv2 protocol
+; Disable support for insecure protocols
 options = NO_SSLv2
-; Workaround for Eudora bug
-;options = DONT_INSERT_EMPTY_FRAGMENTS
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
 
 ; These options provide additional security at some performance degradation
-;options = SINGLE_ECDH_USE
-;options = SINGLE_DH_USE
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
 
 ; **************************************************************************
 ; * Service definitions (remove all services for inetd mode)               *
 ; **************************************************************************
 
 [imaps]
-accept  = localhost:993
+accept  = localhost:143
 connect = imap.fripost.org:993
 CAfile  = /etc/stunnel/certs/imap.fripost.org.pem
-options = NO_SSLv3
-ciphers = ECDH+AES:DH+AES
+
+[ldaps]
+accept  = localhost:389
+connect = ldap.fripost.org:636
+CAfile  = /etc/stunnel/certs/ldap.fripost.org.pem
 
 ; vim:ft=dosini
diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml
index 41bb7a3..2ddba96 100644
--- a/roles/IMAP-proxy/tasks/main.yml
+++ b/roles/IMAP-proxy/tasks/main.yml
@@ -73,17 +73,26 @@
   notify:
     - Restart stunnel
 
+- name: Copy slapd's X.509 certificate
+  copy: src=certs/ldap/ldap.fripost.org.pem
+        dest=/etc/stunnel/certs/ldap.fripost.org.pem
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart stunnel
+
 - name: Configure stunnel
   copy: src=etc/stunnel/stunnel.conf
         dest=/etc/stunnel/stunnel.conf
         owner=root group=root
         mode=0644
-  register: r2
+  register: r3
   notify:
     - Restart stunnel
 
 - name: Start stunnel
   service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers