Use stunnel to secure the connection from the IMAP proxy to the IMAP server.

The reason is that we don't want to rely on CAs to verify the
certificate of our server.  Dovecot currently doesn't offer a way to
match said cert against a local copy or known fingerprint.  stunnel
does.

1 files changed, 10 insertions, 0 deletions

diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index 3e93c53..be451ef 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -65,40 +65,50 @@
 - name: Create directory /etc/dovecot/ssl
   file: path=/etc/dovecot/ssl
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Generate a private key and a X.509 certificate for Dovecot
   command: genkeypair.sh x509
                          --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
                          --privkey=/etc/dovecot/ssl/imap.fripost.org.key
                          --dns=imap.fripost.org
                          -t rsa -b 4096 -h sha512
   register: r1
   changed_when: r1.rc == 0
   failed_when: r1.rc > 1
   notify:
     - Restart Dovecot
   tags:
     - genkey
 
+- name: Fetch Dovecot's X.509 certificate
+  # Ensure we don't fetch private data
+  sudo: False
+  fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem
+         dest=certs/dovecot/
+         fail_on_missing=yes
+         flat=yes
+  tags:
+    - genkey
+
 - name: Configure Dovecot
   copy: src=etc/dovecot/{{ item }}
         dest=/etc/dovecot/{{ item }}
         owner=root group=root
         mode=0644
   register: r2
   with_items:
     - conf.d/10-auth.conf
     - conf.d/10-logging.conf
     - conf.d/10-mail.conf
     - conf.d/10-master.conf
     - conf.d/10-ssl.conf
     - conf.d/15-mailboxes.conf
     - conf.d/20-imap.conf
     - conf.d/20-lmtp.conf
     - conf.d/90-plugin.conf
     - conf.d/90-sieve.conf
     - conf.d/auth-ldap.conf.ext
     - dovecot-ldap.conf.ext
     - dovecot-ldap-userdb.conf.ext