diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-01 23:02:45 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:52:13 +0200 |
| commit | de4859456f1de54540c96ad97f62858dd089a980 (patch) | |
| tree | 4b4904258ae3daf6a6b4f852cbc9821acdfa8cc4 /roles/webmail/templates | |
| parent | 170dc68f9275dffb48fbe3f8ebb2183cd7ddf111 (diff) | |
Replace IPSec tunnels by app-level ephemeral TLS sessions.
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
Diffstat (limited to 'roles/webmail/templates')
| -rw-r--r-- | roles/webmail/templates/etc/postfix/main.cf.j2 | 20 | ||||
| -rw-r--r-- | roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 | 2 |
2 files changed, 12 insertions, 10 deletions
diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2 index b070881..595f618 100644 --- a/roles/webmail/templates/etc/postfix/main.cf.j2 +++ b/roles/webmail/templates/etc/postfix/main.cf.j2 @@ -23,66 +23,68 @@ master_service_disable = !127.0.0.1:2580.inet inet queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} multi_instance_group = {{ postfix_instance[inst].group | default('') }} multi_instance_name = postfix-{{ postfix_instance[inst].name }} multi_instance_enable = yes # This server is a nullclient mynetworks_style = host inet_interfaces = loopback-only # No local delivery mydestination = local_transport = error:5.1.1 Mailbox unavailable alias_maps = alias_database = local_recipient_maps = message_size_limit = 67108864 recipient_delimiter = + -# Forward everything to our internal mailhub +# Forward everything to our internal outgoing proxy {% if 'out' in group_names %} relayhost = [127.0.0.1]:{{ postfix_instance.out.port }} {% else %} relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }} {% endif %} relay_domains = + # Don't rewrite remote headers local_header_rewrite_clients = # Avoid splitting the envelope and scanning messages multiple times smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s -# Pass the mail to the antivirus -#content_filter = amavisfeed:unix:public/amavisfeed-antivirus - -# Tunnel everything through IPSec -smtp_tls_security_level = none {% if 'out' in group_names %} -smtp_bind_address = 127.0.0.1 +smtp_tls_security_level = none +smtp_bind_address = 127.0.0.1 {% else %} -smtp_bind_address = 172.16.0.1 +smtp_tls_security_level = encrypt +smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem +smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key +smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache +smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy +smtp_tls_fingerprint_digest = sha256 {% endif %} -smtpd_tls_security_level = none +smtpd_tls_security_level = none strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes # UCE control unknown_client_reject_code = 554 smtpd_client_restrictions = permit_mynetworks reject smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname smtpd_sender_restrictions = diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 index c716ddc..d88a09a 100644 --- a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 +++ b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 @@ -9,41 +9,41 @@ $rcmail_config['managesieve_port'] = 4190; // %n - http hostname ($_SERVER['SERVER_NAME']) // %d - domain (http hostname without the first part) // For example %n = mail.domain.tld, %d = domain.tld $rcmail_config['managesieve_host'] = 'imap.fripost.org'; // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL // or none. Optional, defaults to best method supported by server. $rcmail_config['managesieve_auth_type'] = 'PLAIN'; // Optional managesieve authentication identifier to be used as authorization proxy. // Authenticate as a different user but act on behalf of the logged in user. // Works with PLAIN and DIGEST-MD5 auth. $rcmail_config['managesieve_auth_cid'] = null; // Optional managesieve authentication password to be used for imap_auth_cid $rcmail_config['managesieve_auth_pw'] = null; // use or not TLS for managesieve server connection // it's because I've problems with TLS and dovecot's managesieve plugin // and it's not needed on localhost -$rcmail_config['managesieve_usetls'] = FALSE; +$rcmail_config['managesieve_usetls'] = TRUE; // default contents of filters script (eg. default spam filter) $rcmail_config['managesieve_default'] = '/etc/dovecot/sieve/global'; // The name of the script which will be used when there's no user script $rcmail_config['managesieve_script_name'] = 'managesieve'; // Sieve RFC says that we should use UTF-8 endcoding for mailbox names, // but some implementations does not covert UTF-8 to modified UTF-7. // Defaults to UTF7-IMAP $rcmail_config['managesieve_mbox_encoding'] = 'UTF-8'; // I need this because my dovecot (with listescape plugin) uses // ':' delimiter, but creates folders with dot delimiter $rcmail_config['managesieve_replace_delimiter'] = ''; // disabled sieve extensions (body, copy, date, editheader, encoded-character, // envelope, environment, ereject, fileinto, ihave, imap4flags, index, // mailbox, mboxmetadata, regex, reject, relational, servermetadata, // spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc. |