summaryrefslogtreecommitdiffstats
path: root/roles/webmail
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-07-09 23:46:21 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-07-10 01:07:39 +0200
commitb441dd4a7c3ce72008968d324a12e5c342d164a3 (patch)
tree8375a25dfb8a91d3d16cf426851cd1049bb508b3 /roles/webmail
parent418b3303f17776e64341f990d13e98ce6f662bf5 (diff)
Route SMTP traffic from the webmail through IPsec.
Diffstat (limited to 'roles/webmail')
-rw-r--r--roles/webmail/handlers/main.yml3
-rw-r--r--roles/webmail/tasks/mail.yml32
-rw-r--r--roles/webmail/tasks/main.yml6
-rw-r--r--roles/webmail/tasks/roundcube.yml18
-rw-r--r--roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j22
-rw-r--r--roles/webmail/templates/etc/stunnel/smtp.conf.j258
6 files changed, 10 insertions, 109 deletions
diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml
index 17a0dc4..d02cdda 100644
--- a/roles/webmail/handlers/main.yml
+++ b/roles/webmail/handlers/main.yml
@@ -1,7 +1,4 @@
---
-- name: Restart stunnel@smtp
- service: name=stunnel4@smtp state=restarted
-
- name: Restart stunnel@ldap
service: name=stunnel4@ldap state=restarted
diff --git a/roles/webmail/tasks/mail.yml b/roles/webmail/tasks/mail.yml
deleted file mode 100644
index 78eee38..0000000
--- a/roles/webmail/tasks/mail.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-- name: Create /etc/stunnel/certs
- file: path=/etc/stunnel/certs
- state=directory
- owner=root group=root
- mode=0755
-
-- name: Copy the SMTP outgoing proxy's X.509 certificate
- assemble: src=certs/postfix regexp="{{ groups.out | difference([inventory_hostname]) | join('|') }}\.pem$" remote_src=no
- dest=/etc/stunnel/certs/smtp.pem
- owner=root group=root
- mode=0644
- register: r1
- notify:
- - Restart stunnel@smtp
-
-- name: Configure stunnel
- template: src=etc/stunnel/smtp.conf.j2
- dest=/etc/stunnel/smtp.conf
- owner=root group=root
- mode=0644
- register: r2
- notify:
- - Restart stunnel@smtp
-
-- name: Enable stunnel@smtp
- service: name=stunnel4@smtp enabled=yes
-
-- name: Start stunnel@smtp
- service: name=stunnel4@smtp state=started
- when: not (r1.changed or r2.changed)
-
-- meta: flush_handlers
diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml
index 9c40a34..cd9f0c7 100644
--- a/roles/webmail/tasks/main.yml
+++ b/roles/webmail/tasks/main.yml
@@ -1,9 +1,3 @@
-- include: mail.yml
- when: "'out' not in group_names"
- tags:
- - postfix
- - mail
- - stunnel
- include: ldap.yml
when: "'LDAP-provider' not in group_names"
tags:
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 41ef907..d1fb8a2 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -49,16 +49,16 @@
# IMAP
# WARNING: After hostname change update of mail_host column in users
# table is required to match old user data records with the new host.
- - { var: default_host, value: "'{{ ipsec[imapsvr.inventory_hostname_short] }}'" }
- - { var: default_port, value: "143" }
- - { var: imap_auth_type, value: "'PLAIN'" }
- - { var: imap_cache, value: "null" }
- - { var: imap_timeout, value: "180" }
- - { var: imap_force_ns, value: "true" }
- - { var: messages_cache, value: "false" }
+ - { var: default_host, value: "'{{ imapsvr_addr | ipaddr }}'" }
+ - { var: default_port, value: "143" }
+ - { var: imap_auth_type, value: "'PLAIN'" }
+ - { var: imap_cache, value: "null" }
+ - { var: imap_timeout, value: "180" }
+ - { var: imap_force_ns, value: "true" }
+ - { var: messages_cache, value: "false" }
# SMTP
- - { var: smtp_server, value: "'localhost'" }
- - { var: smtp_port, value: "2525" }
+ - { var: smtp_server, value: "'{{ postfix_instance.out.addr | ipaddr }}'" }
+ - { var: smtp_port, value: "{{ postfix_instance.out.port }}" }
# System
- { var: force_https, value: "true" }
- { var: login_autocomplete, value: "2" }
diff --git a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
index dcaca06..66af466 100644
--- a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
+++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
@@ -10,7 +10,7 @@ $config['managesieve_port'] = 4190;
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
-$config['managesieve_host'] = '{{ ipsec[imapsvr.inventory_hostname_short] }}';
+$config['managesieve_host'] = '{{ imapsvr_addr | ipaddr }}';
// authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
// or none. Optional, defaults to best method supported by server.
diff --git a/roles/webmail/templates/etc/stunnel/smtp.conf.j2 b/roles/webmail/templates/etc/stunnel/smtp.conf.j2
deleted file mode 100644
index ba38bfa..0000000
--- a/roles/webmail/templates/etc/stunnel/smtp.conf.j2
+++ /dev/null
@@ -1,58 +0,0 @@
-; **************************************************************************
-; * Global options *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-key = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-client = yes
-socket = a:SO_BINDTODEVICE=lo
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode) *
-; **************************************************************************
-
-[smtp]
-accept = localhost:2525
-connect = outgoing.fripost.org:{{ postfix_instance.out.port }}
-CAfile = /etc/stunnel/certs/smtp.pem
-protocol = smtp
-
-; vim:ft=dosini