Configure the webmail.

5 files changed, 43 insertions, 2 deletions

diff --git a/roles/common/files/etc/fail2ban/filter.d/roundcube.conf b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf
new file mode 100644
index 0000000..c8cb5d3
--- /dev/null
+++ b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf
@@ -0,0 +1,16 @@
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = IMAP Error: Login failed for \S+ from <HOST>\. AUTHENTICATE \S+: Authentication failed\.
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index 3540e32..38b2ecb 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -11,6 +11,7 @@
 smtp      inet  n       -       -       -       -       smtpd
 16132     inet  n       -       -       -       -       smtpd
 2526      inet  n       -       -       -       -       smtpd
+2580      inet  n       -       -       -       -       smtpd
 submission inet n       -       -       -       -       smtpd
 pickup    fifo  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index d5007b9..be26c79 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,17 +1,28 @@
 - name: Install fail2ban
   apt: pkg=fail2ban
 
+- name: Add addititional filters
+  copy: src=etc/fail2ban/filter.d/{{ item }}
+        dest=/etc/fail2ban/filter.d/{{ item }}
+        owner=root group=root
+        mode=0644
+  register: r1
+  with_items:
+    - roundcube.conf
+  notify:
+    - Restart fail2ban
+
 - name: Configure fail2ban
   template: src=etc/fail2ban/jail.local.j2
             dest=/etc/fail2ban/jail.local
             owner=root group=root
             mode=0644
-  register: r
+  register: r2
   notify:
     - Restart fail2ban
 
 - name: Start fail2ban
   service: name=fail2ban state=started
-  when: not r.changed
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index 661c862..7c5bc0e 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -81,3 +81,13 @@ port     = submission
 filter   = sasl
 logpath  = /var/log/mail.warn
 {% endif %}
+
+
+{% if 'webmail' in group_names %}
+[roundcube]
+
+enabled  = true
+port     = http,https
+filter   = roundcube
+logpath  = /var/log/roundcube/errors
+{% endif %}
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 2a36932..3ddb87e 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -25,3 +25,6 @@ in      tcp     993                                     # IMAPS
 {% if 'MSA' in group_names %}
 in      tcp     587                                     # SMTP-AUTH
 {% endif %}
+{% if 'webmail' in group_names %}
+in     tcp      80,443                                  # HTTP/HTTPS
+{% endif %}