summaryrefslogtreecommitdiffstats
path: root/roles/webmail/files/etc
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-06-05 17:30:00 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-06-05 17:33:25 +0200
commit17d7427e0bc5e61ee10e28cbc5cba5b8a7566d58 (patch)
tree00dc894e22ab7221e908faeac98095835b0a0782 /roles/webmail/files/etc
parent57e40efc54c230566fd5f6bd10d25692709909b7 (diff)
Use stunnel to secure the connection from the webmail to ldap.fripost.org.
We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
Diffstat (limited to 'roles/webmail/files/etc')
-rw-r--r--roles/webmail/files/etc/stunnel/ldap.conf57
1 files changed, 57 insertions, 0 deletions
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf
new file mode 100644
index 0000000..1149bce
--- /dev/null
+++ b/roles/webmail/files/etc/stunnel/ldap.conf
@@ -0,0 +1,57 @@
+; **************************************************************************
+; * Global options *
+; **************************************************************************
+
+; setuid()/setgid() to the specified user/group in daemon mode
+setuid = stunnel4
+setgid = stunnel4
+
+; PID is created inside the chroot jail
+pid =
+foreground = yes
+
+; Only log messages at severity warning (4) and higher
+debug = 4
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections *
+; **************************************************************************
+
+; Certificate/key is needed in server mode and optional in client mode
+;cert = /etc/stunnel/mail.pem
+;key = /etc/stunnel/mail.pem
+client = yes
+socket = a:SO_BINDTODEVICE=lo
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+
+; Prevent MITM attacks
+verify = 4
+
+; Disable support for insecure protocols
+options = NO_SSLv2
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
+
+options = NO_COMPRESSION
+
+; These options provide additional security at some performance degradation
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+; Select permitted SSL ciphers
+ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+
+; **************************************************************************
+; * Service definitions (remove all services for inetd mode) *
+; **************************************************************************
+
+[ldaps]
+accept = localhost:389
+connect = ldap.fripost.org:636
+CAfile = /etc/stunnel/certs/ldap.pem
+
+; vim:ft=dosini