diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-09 23:46:21 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-10 01:07:39 +0200 |
commit | b441dd4a7c3ce72008968d324a12e5c342d164a3 (patch) | |
tree | 8375a25dfb8a91d3d16cf426851cd1049bb508b3 /roles/webmail | |
parent | 418b3303f17776e64341f990d13e98ce6f662bf5 (diff) |
Route SMTP traffic from the webmail through IPsec.
Diffstat (limited to 'roles/webmail')
-rw-r--r-- | roles/webmail/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/webmail/tasks/mail.yml | 32 | ||||
-rw-r--r-- | roles/webmail/tasks/main.yml | 6 | ||||
-rw-r--r-- | roles/webmail/tasks/roundcube.yml | 18 | ||||
-rw-r--r-- | roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 | 2 | ||||
-rw-r--r-- | roles/webmail/templates/etc/stunnel/smtp.conf.j2 | 58 |
6 files changed, 10 insertions, 109 deletions
diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml index 17a0dc4..d02cdda 100644 --- a/roles/webmail/handlers/main.yml +++ b/roles/webmail/handlers/main.yml @@ -1,7 +1,4 @@ --- -- name: Restart stunnel@smtp - service: name=stunnel4@smtp state=restarted - - name: Restart stunnel@ldap service: name=stunnel4@ldap state=restarted diff --git a/roles/webmail/tasks/mail.yml b/roles/webmail/tasks/mail.yml deleted file mode 100644 index 78eee38..0000000 --- a/roles/webmail/tasks/mail.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: Create /etc/stunnel/certs - file: path=/etc/stunnel/certs - state=directory - owner=root group=root - mode=0755 - -- name: Copy the SMTP outgoing proxy's X.509 certificate - assemble: src=certs/postfix regexp="{{ groups.out | difference([inventory_hostname]) | join('|') }}\.pem$" remote_src=no - dest=/etc/stunnel/certs/smtp.pem - owner=root group=root - mode=0644 - register: r1 - notify: - - Restart stunnel@smtp - -- name: Configure stunnel - template: src=etc/stunnel/smtp.conf.j2 - dest=/etc/stunnel/smtp.conf - owner=root group=root - mode=0644 - register: r2 - notify: - - Restart stunnel@smtp - -- name: Enable stunnel@smtp - service: name=stunnel4@smtp enabled=yes - -- name: Start stunnel@smtp - service: name=stunnel4@smtp state=started - when: not (r1.changed or r2.changed) - -- meta: flush_handlers diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml index 9c40a34..cd9f0c7 100644 --- a/roles/webmail/tasks/main.yml +++ b/roles/webmail/tasks/main.yml @@ -1,9 +1,3 @@ -- include: mail.yml - when: "'out' not in group_names" - tags: - - postfix - - mail - - stunnel - include: ldap.yml when: "'LDAP-provider' not in group_names" tags: diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 41ef907..d1fb8a2 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -49,16 +49,16 @@ # IMAP # WARNING: After hostname change update of mail_host column in users # table is required to match old user data records with the new host. - - { var: default_host, value: "'{{ ipsec[imapsvr.inventory_hostname_short] }}'" } - - { var: default_port, value: "143" } - - { var: imap_auth_type, value: "'PLAIN'" } - - { var: imap_cache, value: "null" } - - { var: imap_timeout, value: "180" } - - { var: imap_force_ns, value: "true" } - - { var: messages_cache, value: "false" } + - { var: default_host, value: "'{{ imapsvr_addr | ipaddr }}'" } + - { var: default_port, value: "143" } + - { var: imap_auth_type, value: "'PLAIN'" } + - { var: imap_cache, value: "null" } + - { var: imap_timeout, value: "180" } + - { var: imap_force_ns, value: "true" } + - { var: messages_cache, value: "false" } # SMTP - - { var: smtp_server, value: "'localhost'" } - - { var: smtp_port, value: "2525" } + - { var: smtp_server, value: "'{{ postfix_instance.out.addr | ipaddr }}'" } + - { var: smtp_port, value: "{{ postfix_instance.out.port }}" } # System - { var: force_https, value: "true" } - { var: login_autocomplete, value: "2" } diff --git a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 index dcaca06..66af466 100644 --- a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 +++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 @@ -10,7 +10,7 @@ $config['managesieve_port'] = 4190; // %n - http hostname ($_SERVER['SERVER_NAME']) // %d - domain (http hostname without the first part) // For example %n = mail.domain.tld, %d = domain.tld -$config['managesieve_host'] = '{{ ipsec[imapsvr.inventory_hostname_short] }}'; +$config['managesieve_host'] = '{{ imapsvr_addr | ipaddr }}'; // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL // or none. Optional, defaults to best method supported by server. diff --git a/roles/webmail/templates/etc/stunnel/smtp.conf.j2 b/roles/webmail/templates/etc/stunnel/smtp.conf.j2 deleted file mode 100644 index ba38bfa..0000000 --- a/roles/webmail/templates/etc/stunnel/smtp.conf.j2 +++ /dev/null @@ -1,58 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -key = /etc/postfix/ssl/{{ ansible_fqdn }}.key -client = yes -socket = a:SO_BINDTODEVICE=lo - -; Some performance tunings -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -[smtp] -accept = localhost:2525 -connect = outgoing.fripost.org:{{ postfix_instance.out.port }} -CAfile = /etc/stunnel/certs/smtp.pem -protocol = smtp - -; vim:ft=dosini |