stunnel4: Harden and socket-activate.

author: Guilhem Moulin <guilhem@fripost.org> 2020-05-18 15:51:54 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2020-05-18 15:51:54 +0200
commit: 42df93debccbcb1a18cd377b6de0b5b20527312f (patch)
tree: acb669efd9b6f9d0d80e9563d2940192b3753925 /roles/webmail
parent: f3e90041c28a74c94d06f419889691f533422c2f (diff)
5 files changed, 44 insertions, 37 deletions
diff --git a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
index c32f58e..e53b753 100644
--- a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
+++ b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
@@ -105,41 +105,41 @@ $config['password_blowfish_cost'] = 12;
 // -----------------------
 // The host which changes the password
 $config['password_pop_host'] = 'localhost';
 
 // TCP port used for poppassd connections
 $config['password_pop_port'] = 106;
 
 
 // SASL Driver options
 // -------------------
 // Additional arguments for the saslpasswd2 call
 $config['password_saslpasswd_args'] = '';
 
 
 // LDAP and LDAP_SIMPLE Driver options
 // -----------------------------------
 // LDAP server name to connect to. 
 // You can provide one or several hosts in an array in which case the hosts are tried from left to right.
 // Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com');
 // Default: 'localhost'
-$config['password_ldap_host'] = 'localhost';
+$config['password_ldap_host'] = '127.0.0.1';
 
 // LDAP server port to connect to
 // Default: '389'
 $config['password_ldap_port'] = '389';
 
 // TLS is started after connecting
 // Using TLS for password modification is recommanded.
 // Default: false
 $config['password_ldap_starttls'] = false;
 
 // LDAP version
 // Default: '3'
 $config['password_ldap_version'] = '3';
 
 // LDAP base name (root directory)
 // Exemple: 'dc=exemple,dc=com'
 $config['password_ldap_basedn'] = 'ou=virtual,dc=fripost,dc=org';
 
 // LDAP connection method
 // There is two connection method for changing a user's LDAP password.
diff --git a/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket
new file mode 100644
index 0000000..72aa82c
--- /dev/null
+++ b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=SSL tunnel for network daemons (instance %i)
+Documentation=man:stunnel4(8)
+
+[Socket]
+BindToDevice=lo
+ListenStream=127.0.0.1:389
+NoDelay=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml
index 0515c8b..5b730d7 100644
--- a/roles/webmail/handlers/main.yml
+++ b/roles/webmail/handlers/main.yml
@@ -1,9 +1,15 @@
 ---
 - name: Restart stunnel@ldap
   service: name=stunnel4@ldap state=restarted
 
 - name: Restart php7.3-fpm
   service: name=php7.3-fpm state=restarted
 
 - name: Restart Nginx
   service: name=nginx state=restarted
+
+- name: Stop stunnel4@ldap.service
+  service: name=stunnel4@ldap.service state=stopped
+
+- name: Restart stunnel4@ldap.socket
+  service: name=stunnel4@ldap.socket state=restarted
diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml
index 4abbd3a..f0b461c 100644
--- a/roles/webmail/tasks/ldap.yml
+++ b/roles/webmail/tasks/ldap.yml
@@ -1,30 +1,36 @@
+- name: Copy stunnel4@ldap.socket
+  copy: src=etc/systemd/system/stunnel4@ldap.socket
+        dest=/etc/systemd/system/stunnel4@ldap.socket
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Restart stunnel4@ldap.socket
+
 - name: Create /etc/stunnel/certs
   file: path=/etc/stunnel/certs
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Copy the slapd X.509 certificate
   copy: src=certs/ldap/ldap.fripost.org.pem
         dest=/etc/stunnel/certs/ldap.pem
         owner=root group=root
         mode=0644
-  register: r1
   notify:
-    - Restart stunnel@ldap
+    - Stop stunnel4@ldap.service
 
 - name: Configure stunnel
-  copy: src=etc/stunnel/ldap.conf
-        dest=/etc/stunnel/ldap.conf
-        owner=root group=root
-        mode=0644
-  register: r2
+  template: src=etc/stunnel/ldap.conf.j2
+            dest=/etc/stunnel/ldap.conf
+            owner=root group=root
+            mode=0644
   notify:
-    - Restart stunnel@ldap
+    - Stop stunnel4@ldap.service
 
-- name: Enable stunnel@ldap
-  service: name=stunnel4@ldap enabled=yes
+- name: Disable stunnel4@ldap.service
+  service: name=stunnel4@ldap.service enabled=false
 
-- name: Start stunnel@ldap
-  service: name=stunnel4@ldap state=started
-  when: not (r1.changed or r2.changed)
+- name: Start stunnel4@ldap.socket socket
+  service: name=stunnel4@ldap.socket state=started enabled=true
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/templates/etc/stunnel/ldap.conf.j2
index 1a60a4f..6fce2bc 100644
--- a/roles/webmail/files/etc/stunnel/ldap.conf
+++ b/roles/webmail/templates/etc/stunnel/ldap.conf.j2
@@ -1,57 +1,41 @@
 ; **************************************************************************
 ; * Global options                                                         *
 ; **************************************************************************
 
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
 pid =
 foreground = yes
 
 ; Only log messages at severity warning (4) and higher
 debug = 4
 
 ; **************************************************************************
 ; * Service defaults may also be specified in individual service sections  *
 ; **************************************************************************
 
-; Certificate/key is needed in server mode and optional in client mode
-;cert = /etc/stunnel/mail.pem
-;key = /etc/stunnel/mail.pem
 client = yes
-socket = a:SO_BINDTODEVICE=lo
 
 ; Some performance tunings
-socket = l:TCP_NODELAY=1
 socket = r:TCP_NODELAY=1
 
 ; Prevent MITM attacks
-verify = 4
+verifyPeer = yes
 
 ; Disable support for insecure protocols
-;options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
+sslVersionMin = TLSv1.2
 options = NO_COMPRESSION
 
-; These options provide additional security at some performance degradation
-;options = SINGLE_ECDH_USE
-;options = SINGLE_DH_USE
-
 ; Select permitted SSL ciphers
 ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
 
 ; **************************************************************************
 ; * Service definitions (remove all services for inetd mode)               *
 ; **************************************************************************
 
 [ldaps]
-accept  = localhost:389
-connect = ldap.fripost.org:636
-CAfile  = /etc/stunnel/certs/ldap.pem
+; dummy address (socket-activated)
+accept  = 127.0.0.1:0
+connect = {{ ipsec[ hostvars[groups.LDAP_provider[0]].inventory_hostname_short ] }}:636
+checkHost = ldap.fripost.org
+CAfile = /etc/stunnel/certs/ldap.pem
 
 ; vim:ft=dosini
author	Guilhem Moulin <guilhem@fripost.org>	2020-05-18 15:51:54 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2020-05-18 15:51:54 +0200
commit	42df93debccbcb1a18cd377b6de0b5b20527312f (patch)
tree	acb669efd9b6f9d0d80e9563d2940192b3753925 /roles/webmail
parent	f3e90041c28a74c94d06f419889691f533422c2f (diff)