Route SMTP traffic from the webmail through IPsec.

author: Guilhem Moulin <guilhem@fripost.org> 2016-07-09 23:46:21 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-07-10 01:07:39 +0200
commit: b441dd4a7c3ce72008968d324a12e5c342d164a3 (patch)
tree: 8375a25dfb8a91d3d16cf426851cd1049bb508b3 /roles/webmail
parent: 418b3303f17776e64341f990d13e98ce6f662bf5 (diff)
6 files changed, 10 insertions, 109 deletions
diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml
index 17a0dc4..d02cdda 100644
--- a/roles/webmail/handlers/main.yml
+++ b/roles/webmail/handlers/main.yml
@@ -1,7 +1,4 @@
 ---
-- name: Restart stunnel@smtp
-  service: name=stunnel4@smtp state=restarted
-
 - name: Restart stunnel@ldap
   service: name=stunnel4@ldap state=restarted
 
diff --git a/roles/webmail/tasks/mail.yml b/roles/webmail/tasks/mail.yml
deleted file mode 100644
index 78eee38..0000000
--- a/roles/webmail/tasks/mail.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-- name: Create /etc/stunnel/certs
-  file: path=/etc/stunnel/certs
-        state=directory
-        owner=root group=root
-        mode=0755
-
-- name: Copy the SMTP outgoing proxy's X.509 certificate
-  assemble: src=certs/postfix regexp="{{ groups.out | difference([inventory_hostname]) | join('|') }}\.pem$" remote_src=no
-            dest=/etc/stunnel/certs/smtp.pem
-            owner=root group=root
-            mode=0644
-  register: r1
-  notify:
-    - Restart stunnel@smtp
-
-- name: Configure stunnel
-  template: src=etc/stunnel/smtp.conf.j2
-            dest=/etc/stunnel/smtp.conf
-            owner=root group=root
-            mode=0644
-  register: r2
-  notify:
-    - Restart stunnel@smtp
-
-- name: Enable stunnel@smtp
-  service: name=stunnel4@smtp enabled=yes
-
-- name: Start stunnel@smtp
-  service: name=stunnel4@smtp state=started
-  when: not (r1.changed or r2.changed)
-
-- meta: flush_handlers
diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml
index 9c40a34..cd9f0c7 100644
--- a/roles/webmail/tasks/main.yml
+++ b/roles/webmail/tasks/main.yml
@@ -1,9 +1,3 @@
-- include: mail.yml
-  when: "'out' not in group_names"
-  tags:
-    - postfix
-    - mail
-    - stunnel
 - include: ldap.yml
   when: "'LDAP-provider' not in group_names"
   tags:
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 41ef907..d1fb8a2 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -49,16 +49,16 @@
     # IMAP
     #   WARNING: After hostname change update of mail_host column in users
     #   table is required to match old user data records with the new host.
-    - { var: default_host,           value: "'{{ ipsec[imapsvr.inventory_hostname_short] }}'" }
-    - { var: default_port,           value: "143"                                             }
-    - { var: imap_auth_type,         value: "'PLAIN'"                                         }
-    - { var: imap_cache,             value: "null"                                            }
-    - { var: imap_timeout,           value: "180"                                             }
-    - { var: imap_force_ns,          value: "true"                                            }
-    - { var: messages_cache,         value: "false"                                           }
+    - { var: default_host,           value: "'{{ imapsvr_addr | ipaddr }}'" }
+    - { var: default_port,           value: "143"                           }
+    - { var: imap_auth_type,         value: "'PLAIN'"                       }
+    - { var: imap_cache,             value: "null"                          }
+    - { var: imap_timeout,           value: "180"                           }
+    - { var: imap_force_ns,          value: "true"                          }
+    - { var: messages_cache,         value: "false"                         }
     # SMTP
-    - { var: smtp_server,            value: "'localhost'" }
-    - { var: smtp_port,              value: "2525"        }
+    - { var: smtp_server,            value: "'{{ postfix_instance.out.addr | ipaddr }}'" }
+    - { var: smtp_port,              value:  "{{ postfix_instance.out.port          }}"  }
     # System
     - { var: force_https,            value: "true"                       }
     - { var: login_autocomplete,     value: "2"                          }
diff --git a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
index dcaca06..66af466 100644
--- a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
+++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2
@@ -10,7 +10,7 @@ $config['managesieve_port'] = 4190;
 // %n - http hostname ($_SERVER['SERVER_NAME'])
 // %d - domain (http hostname without the first part)
 // For example %n = mail.domain.tld, %d = domain.tld
-$config['managesieve_host'] = '{{ ipsec[imapsvr.inventory_hostname_short] }}';
+$config['managesieve_host'] = '{{ imapsvr_addr | ipaddr }}';
 
 // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
 // or none. Optional, defaults to best method supported by server.
diff --git a/roles/webmail/templates/etc/stunnel/smtp.conf.j2 b/roles/webmail/templates/etc/stunnel/smtp.conf.j2
deleted file mode 100644
index ba38bfa..0000000
--- a/roles/webmail/templates/etc/stunnel/smtp.conf.j2
+++ /dev/null
@@ -1,58 +0,0 @@
-; **************************************************************************
-; * Global options                                                         *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections  *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-cert = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-key  = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-client = yes
-socket = a:SO_BINDTODEVICE=lo
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-options = SINGLE_ECDH_USE
-options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode)               *
-; **************************************************************************
-
-[smtp]
-accept   = localhost:2525
-connect  = outgoing.fripost.org:{{ postfix_instance.out.port }}
-CAfile   = /etc/stunnel/certs/smtp.pem
-protocol = smtp
-
-; vim:ft=dosini
author	Guilhem Moulin <guilhem@fripost.org>	2016-07-09 23:46:21 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-07-10 01:07:39 +0200
commit	b441dd4a7c3ce72008968d324a12e5c342d164a3 (patch)
tree	8375a25dfb8a91d3d16cf426851cd1049bb508b3 /roles/webmail
parent	418b3303f17776e64341f990d13e98ce6f662bf5 (diff)