stunnel4: Harden and socket-activate.

3 files changed, 12 insertions, 58 deletions

diff --git a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
index c32f58e..e53b753 100644
--- a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
+++ b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
@@ -105,41 +105,41 @@ $config['password_blowfish_cost'] = 12;
 // -----------------------
 // The host which changes the password
 $config['password_pop_host'] = 'localhost';
 
 // TCP port used for poppassd connections
 $config['password_pop_port'] = 106;
 
 
 // SASL Driver options
 // -------------------
 // Additional arguments for the saslpasswd2 call
 $config['password_saslpasswd_args'] = '';
 
 
 // LDAP and LDAP_SIMPLE Driver options
 // -----------------------------------
 // LDAP server name to connect to. 
 // You can provide one or several hosts in an array in which case the hosts are tried from left to right.
 // Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com');
 // Default: 'localhost'
-$config['password_ldap_host'] = 'localhost';
+$config['password_ldap_host'] = '127.0.0.1';
 
 // LDAP server port to connect to
 // Default: '389'
 $config['password_ldap_port'] = '389';
 
 // TLS is started after connecting
 // Using TLS for password modification is recommanded.
 // Default: false
 $config['password_ldap_starttls'] = false;
 
 // LDAP version
 // Default: '3'
 $config['password_ldap_version'] = '3';
 
 // LDAP base name (root directory)
 // Exemple: 'dc=exemple,dc=com'
 $config['password_ldap_basedn'] = 'ou=virtual,dc=fripost,dc=org';
 
 // LDAP connection method
 // There is two connection method for changing a user's LDAP password.
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf
deleted file mode 100644
index 1a60a4f..0000000
--- a/roles/webmail/files/etc/stunnel/ldap.conf
+++ /dev/null
@@ -1,57 +0,0 @@
-; **************************************************************************
-; * Global options                                                         *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections  *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-;cert = /etc/stunnel/mail.pem
-;key = /etc/stunnel/mail.pem
-client = yes
-socket = a:SO_BINDTODEVICE=lo
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-;options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-;options = SINGLE_ECDH_USE
-;options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode)               *
-; **************************************************************************
-
-[ldaps]
-accept  = localhost:389
-connect = ldap.fripost.org:636
-CAfile  = /etc/stunnel/certs/ldap.pem
-
-; vim:ft=dosini
diff --git a/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket
new file mode 100644
index 0000000..72aa82c
--- /dev/null
+++ b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=SSL tunnel for network daemons (instance %i)
+Documentation=man:stunnel4(8)
+
+[Socket]
+BindToDevice=lo
+ListenStream=127.0.0.1:389
+NoDelay=yes
+
+[Install]
+WantedBy=sockets.target