summaryrefslogtreecommitdiffstats
path: root/roles/webmail
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-01 23:02:45 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:13 +0200
commitde4859456f1de54540c96ad97f62858dd089a980 (patch)
tree4b4904258ae3daf6a6b4f852cbc9821acdfa8cc4 /roles/webmail
parent170dc68f9275dffb48fbe3f8ebb2183cd7ddf111 (diff)
Replace IPSec tunnels by app-level ephemeral TLS sessions.
For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
Diffstat (limited to 'roles/webmail')
-rw-r--r--roles/webmail/tasks/roundcube.yml2
-rw-r--r--roles/webmail/templates/etc/postfix/main.cf.j220
-rw-r--r--roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j22
3 files changed, 14 insertions, 10 deletions
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 2085974..feb38ee 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -89,6 +89,8 @@
failed_when: r1.rc > 1
notify:
- Restart Nginx
+ tags:
+ - genkey
- name: Copy /etc/nginx/sites-available/roundcube
copy: src=etc/nginx/sites-available/roundcube
diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2
index b070881..595f618 100644
--- a/roles/webmail/templates/etc/postfix/main.cf.j2
+++ b/roles/webmail/templates/etc/postfix/main.cf.j2
@@ -40,7 +40,7 @@ local_recipient_maps =
message_size_limit = 67108864
recipient_delimiter = +
-# Forward everything to our internal mailhub
+# Forward everything to our internal outgoing proxy
{% if 'out' in group_names %}
relayhost = [127.0.0.1]:{{ postfix_instance.out.port }}
{% else %}
@@ -48,6 +48,7 @@ relayhost = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
{% endif %}
relay_domains =
+
# Don't rewrite remote headers
local_header_rewrite_clients =
# Avoid splitting the envelope and scanning messages multiple times
@@ -55,17 +56,18 @@ smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency
smtp_data_done_timeout = 1200s
-# Pass the mail to the antivirus
-#content_filter = amavisfeed:unix:public/amavisfeed-antivirus
-
-# Tunnel everything through IPSec
-smtp_tls_security_level = none
{% if 'out' in group_names %}
-smtp_bind_address = 127.0.0.1
+smtp_tls_security_level = none
+smtp_bind_address = 127.0.0.1
{% else %}
-smtp_bind_address = 172.16.0.1
+smtp_tls_security_level = encrypt
+smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
+smtp_tls_fingerprint_digest = sha256
{% endif %}
-smtpd_tls_security_level = none
+smtpd_tls_security_level = none
strict_rfc821_envelopes = yes
diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2
index c716ddc..d88a09a 100644
--- a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2
+++ b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2
@@ -26,7 +26,7 @@ $rcmail_config['managesieve_auth_pw'] = null;
// use or not TLS for managesieve server connection
// it's because I've problems with TLS and dovecot's managesieve plugin
// and it's not needed on localhost
-$rcmail_config['managesieve_usetls'] = FALSE;
+$rcmail_config['managesieve_usetls'] = TRUE;
// default contents of filters script (eg. default spam filter)
$rcmail_config['managesieve_default'] = '/etc/dovecot/sieve/global';