diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-17 20:35:37 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-17 22:07:45 +0200 |
| commit | 7a562e807515506d7dca2f370f63057be7366c34 (patch) | |
| tree | 129a3fb021685ce04f9916c3163eb13ae3f30570 /roles | |
| parent | c459a95cd4013e489ef4f9d47c05d1c98798522c (diff) | |
roundube: Pin X.509 certificate for sieve.fripost.org:4190.
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/webmail/tasks/roundcube.yml | 10 | ||||
| -rw-r--r-- | roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 (renamed from roles/webmail/files/etc/roundcube/plugins/managesieve/config.inc.php) | 7 |
2 files changed, 11 insertions, 6 deletions
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index eb04ba1..e416656 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -10,41 +10,40 @@ - name: Install GNU Aspell and some dictionaries apt: pkg={{ item }} with_items: - aspell - aspell-da - aspell-de - aspell-en - aspell-es - aspell-fr - aspell-no - aspell-sv - name: Install Roundcube apt: pkg={{ item }} default_release={{ ansible_lsb.codename }}-backports with_items: - roundcube-core - roundcube-mysql - roundcube-plugins - php-net-sieve - php-net-ldap3 - - php-mail-mimedecode - name: Copy fripost's logo copy: src=usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png dest=/usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png owner=root group=root mode=0644 with_items: - classic - larry - name: Configure Roundcube lineinfile: dest=/etc/roundcube/config.inc.php regexp='^\\s*\\$config\\[\'{{ item.var }}\'\\]\\s*=' line='$config[\'{{ item.var }}\'] = {{ item.value }};' owner=root group=www-data mode=0640 with_items: # Logging/Debugging - { var: smtp_log, value: "false" } # IMAP @@ -80,43 +79,50 @@ - name: Make the logo a hyperlink to the website lineinfile: dest=/usr/share/roundcube/skins/{{ item }}/templates/login.html regexp='^(<roundcube:object name="logo" src="/images/roundcube_logo.png"[^>]* />)$' line='<a href="https://fripost.org">\1</a>' backrefs=yes owner=root group=root mode=0644 with_items: - classic - larry - name: Configure Roundcube plugins copy: src=etc/roundcube/plugins/{{ item }}/config.inc.php dest=/etc/roundcube/plugins/{{ item }}/config.inc.php owner=root group=root mode=0644 with_items: - additional_message_headers - jqueryui - - managesieve - password +- name: Configure Roundcube plugins (2) + template: src=etc/roundcube/plugins/{{ item }}/config.inc.php.j2 + dest=/etc/roundcube/plugins/{{ item }}/config.inc.php + owner=root group=root + mode=0644 + with_items: + - managesieve + - name: Start php5-fpm service: name=php5-fpm state=started - name: Copy /etc/nginx/sites-available/roundcube copy: src=etc/nginx/sites-available/roundcube dest=/etc/nginx/sites-available/roundcube owner=root group=root mode=0644 register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/roundcube file: src=../sites-available/roundcube dest=/etc/nginx/sites-enabled/roundcube owner=root group=root state=link force=yes register: r2 notify: - Restart Nginx diff --git a/roles/webmail/files/etc/roundcube/plugins/managesieve/config.inc.php b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 index 9c9b3fc..6ad7343 100644 --- a/roles/webmail/files/etc/roundcube/plugins/managesieve/config.inc.php +++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 @@ -9,52 +9,51 @@ $config['managesieve_port'] = 4190; // %h - user's IMAP hostname // %n - http hostname ($_SERVER['SERVER_NAME']) // %d - domain (http hostname without the first part) // For example %n = mail.domain.tld, %d = domain.tld $config['managesieve_host'] = 'sieve.fripost.org'; // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL // or none. Optional, defaults to best method supported by server. $config['managesieve_auth_type'] = 'PLAIN'; // Optional managesieve authentication identifier to be used as authorization proxy. // Authenticate as a different user but act on behalf of the logged in user. // Works with PLAIN and DIGEST-MD5 auth. $config['managesieve_auth_cid'] = null; // Optional managesieve authentication password to be used for imap_auth_cid $config['managesieve_auth_pw'] = null; // use or not TLS for managesieve server connection // Note: tls:// prefix in managesieve_host is also supported -$config['managesieve_usetls'] = false; +$config['managesieve_usetls'] = true; // Connection scket context options // See http://php.net/manual/en/context.ssl.php // The example below enables server certificate validation $config['managesieve_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, - 'verify_depth' => 3, - 'cafile' => '/etc/stunnel/certs/imap.fripost.org.pem', 'disable_compression' => true, - 'ciphers' => 'EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL', + 'ciphers' => 'EECDH+AES!MEDIUM!LOW!EXP!aNULL!eNULL', + 'peer_fingerprint' => array('sha1' => '{{ lookup('pipe', 'openssl x509 -in certs/public/imap.fripost.org.pem -noout -fingerprint -sha1 | sed "s/[^=]*=\s*//" | tr -d :') }}'), ), ); // default contents of filters script (eg. default spam filter) $config['managesieve_default'] = '/etc/dovecot/sieve/global'; // The name of the script which will be used when there's no user script $config['managesieve_script_name'] = 'managesieve'; // Sieve RFC says that we should use UTF-8 endcoding for mailbox names, // but some implementations does not covert UTF-8 to modified UTF-7. // Defaults to UTF7-IMAP $config['managesieve_mbox_encoding'] = 'UTF-8'; // I need this because my dovecot (with listescape plugin) uses // ':' delimiter, but creates folders with dot delimiter $config['managesieve_replace_delimiter'] = ''; // disabled sieve extensions (body, copy, date, editheader, encoded-character, // envelope, environment, ereject, fileinto, ihave, imap4flags, index, |