diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-06-05 17:30:00 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-06-05 17:33:25 +0200 |
| commit | 17d7427e0bc5e61ee10e28cbc5cba5b8a7566d58 (patch) | |
| tree | 00dc894e22ab7221e908faeac98095835b0a0782 /roles/webmail/files/etc | |
| parent | 57e40efc54c230566fd5f6bd10d25692709909b7 (diff) | |
Use stunnel to secure the connection from the webmail to ldap.fripost.org.
We should use IPSec instead, but doing so would force us to weaken
slapd.conf's ‘security’ setting.
Diffstat (limited to 'roles/webmail/files/etc')
| -rw-r--r-- | roles/webmail/files/etc/stunnel/ldap.conf | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf new file mode 100644 index 0000000..1149bce --- /dev/null +++ b/roles/webmail/files/etc/stunnel/ldap.conf @@ -0,0 +1,57 @@ +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; setuid()/setgid() to the specified user/group in daemon mode +setuid = stunnel4 +setgid = stunnel4 + +; PID is created inside the chroot jail +pid = +foreground = yes + +; Only log messages at severity warning (4) and higher +debug = 4 + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Certificate/key is needed in server mode and optional in client mode +;cert = /etc/stunnel/mail.pem +;key = /etc/stunnel/mail.pem +client = yes +socket = a:SO_BINDTODEVICE=lo + +; Some performance tunings +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 + +; Prevent MITM attacks +verify = 4 + +; Disable support for insecure protocols +options = NO_SSLv2 +options = NO_SSLv3 +options = NO_TLSv1 +options = NO_TLSv1.1 + +options = NO_COMPRESSION + +; These options provide additional security at some performance degradation +options = SINGLE_ECDH_USE +options = SINGLE_DH_USE + +; Select permitted SSL ciphers +ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[ldaps] +accept = localhost:389 +connect = ldap.fripost.org:636 +CAfile = /etc/stunnel/certs/ldap.pem + +; vim:ft=dosini |