Configure the webmail.

5 files changed, 43 insertions, 2 deletions

diff --git a/roles/common/files/etc/fail2ban/filter.d/roundcube.conf b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf
new file mode 100644
index 0000000..c8cb5d3
--- /dev/null
+++ b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf
@@ -0,0 +1,16 @@
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = IMAP Error: Login failed for \S+ from <HOST>\. AUTHENTICATE \S+: Authentication failed\.
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index 3540e32..38b2ecb 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -1,33 +1,34 @@
 #
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master").
 #
 # Do not forget to execute "postfix reload" after editing this file.
 #
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
 smtp      inet  n       -       -       -       -       smtpd
 16132     inet  n       -       -       -       -       smtpd
 2526      inet  n       -       -       -       -       smtpd
+2580      inet  n       -       -       -       -       smtpd
 submission inet n       -       -       -       -       smtpd
 pickup    fifo  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
 qmgr      fifo  n       -       n       300     1       qmgr
 tlsmgr    unix  -       -       -       1000?   1       tlsmgr
 rewrite   unix  -       -       -       -       -       trivial-rewrite
 bounce    unix  -       -       -       -       0       bounce
 defer     unix  -       -       -       -       0       bounce
 trace     unix  -       -       -       -       0       bounce
 verify    unix  -       -       -       -       1       verify
 flush     unix  n       -       -       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       -       -       -       smtp
 relay     unix  -       -       -       -       -       smtp
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       -       -       -       showq
 error     unix  -       -       -       -       -       error
 retry     unix  -       -       -       -       -       error
 discard   unix  -       -       -       -       -       discard
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index d5007b9..be26c79 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,17 +1,28 @@
 - name: Install fail2ban
   apt: pkg=fail2ban
 
+- name: Add addititional filters
+  copy: src=etc/fail2ban/filter.d/{{ item }}
+        dest=/etc/fail2ban/filter.d/{{ item }}
+        owner=root group=root
+        mode=0644
+  register: r1
+  with_items:
+    - roundcube.conf
+  notify:
+    - Restart fail2ban
+
 - name: Configure fail2ban
   template: src=etc/fail2ban/jail.local.j2
             dest=/etc/fail2ban/jail.local
             owner=root group=root
             mode=0644
-  register: r
+  register: r2
   notify:
     - Restart fail2ban
 
 - name: Start fail2ban
   service: name=fail2ban state=started
-  when: not r.changed
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index 661c862..7c5bc0e 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -64,20 +64,30 @@ maxretry = 10
 
 
 {% if 'IMAP' in group_names %}
 [dovecot]
 
 enabled = true
 port    = imap2,imap3,imaps,pop3,pop3s
 filter  = dovecot
 logpath = /var/log/mail.log
 {% endif %}
 
 
 {% if 'MSA' in group_names %}
 [sasl]
 
 enabled  = true
 port     = submission
 filter   = sasl
 logpath  = /var/log/mail.warn
 {% endif %}
+
+
+{% if 'webmail' in group_names %}
+[roundcube]
+
+enabled  = true
+port     = http,https
+filter   = roundcube
+logpath  = /var/log/roundcube/errors
+{% endif %}
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 2a36932..3ddb87e 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -8,20 +8,23 @@ inout   udp     500      500                            # ISAKMP
 #inout   udp     4500    4500    # IPSec NAT Traversal
 
 out     tcp     80,443                                  # HTTP/HTTPS
 out     udp     53                                      # DNS
 out     udp     67                                      # DHCP
 
 {% if 'NTP-master' in group_names %}
 out     udp     123      123                            # NTP
 {% endif %}
 
 in      tcp     {{ ansible_ssh_port|default('22') }}    # SSH
 {% if 'MX' in group_names %}
 in      tcp     25                                      # SMTP
 {% endif %}
 {% if 'IMAP' in group_names %}
 in      tcp     993                                     # IMAPS
 {% endif %}
 {% if 'MSA' in group_names %}
 in      tcp     587                                     # SMTP-AUTH
 {% endif %}
+{% if 'webmail' in group_names %}
+in     tcp      80,443                                  # HTTP/HTTPS
+{% endif %}