Upgrade the webmail configuration from Wheezy to Jessie.

6 files changed, 42 insertions, 24 deletions

diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
index 9c50531..e2225c3 100644
--- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
+++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf
@@ -129,105 +129,102 @@ mail_gid = imapproxy
 #mail_attribute_dict =
 
 ##
 ## Mail processes
 ##
 
 # Don't use mmap() at all. This is required if you store indexes to shared
 # filesystems (NFS or clustered filesystem).
 #mmap_disable = no
 
 # Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
 # since version 3, so this should be safe to use nowadays by default.
 #dotlock_use_excl = yes
 
 # When to use fsync() or fdatasync() calls:
 #   optimized (default): Whenever necessary to avoid losing important data
 #   always: Useful with e.g. NFS when write()s are delayed
 #   never: Never use it (best performance, but crashes can lose data)
 #mail_fsync = optimized
 
-# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
-# whenever needed. If you're using only a single mail server this isn't needed.
-#mail_nfs_storage = no
-# Mail index files also exist in NFS. Setting this to yes requires
-# mmap_disable=yes and fsync_disable=no.
-#mail_nfs_index = no
-
 # Locking method for index files. Alternatives are fcntl, flock and dotlock.
 # Dotlocking uses some tricks which may create more disk I/O than other locking
 # methods. NFS users: flock doesn't work, remember to change mmap_disable.
 #lock_method = fcntl
 
 # Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
 #mail_temp_dir = /tmp
 
 # Valid UID range for users, defaults to 500 and above. This is mostly
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
-first_valid_uid = 1
+#first_valid_uid = 500
 #last_valid_uid = 0
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
-first_valid_gid = 1
+#first_valid_gid = 1
 #last_valid_gid = 0
 
 # Maximum allowed length for mail keyword name. It's only forced when trying
 # to create new keywords.
 #mail_max_keyword_length = 50
 
 # ':' separated list of directories under which chrooting is allowed for mail
 # processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
 # This setting doesn't affect login_chroot, mail_chroot or auth chroot
 # settings. If this setting is empty, "/./" in home dirs are ignored.
 # WARNING: Never add directories here which local users can modify, that
 # may lead to root exploit. Usually this should be done only if you don't
 # allow shell access for users. <doc/wiki/Chrooting.txt>
 #valid_chroot_dirs = 
 
 # Default chroot directory for mail processes. This can be overridden for
 # specific users in user database by giving /./ in user's home directory
 # (eg. /home/./user chroots into /home). Note that usually there is no real
 # need to do chrooting, Dovecot doesn't allow users to access files outside
 # their mail directory anyway. If your home directories are prefixed with
 # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
 #mail_chroot = 
 
 # UNIX socket path to master authentication server to find users.
 # This is used by imap (for shared users) and lda.
 #auth_socket_path = /var/run/dovecot/auth-userdb
 
 # Directory where to look up mail plugins.
 #mail_plugin_dir = /usr/lib/dovecot/modules
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-mail_plugins = virtual
+mail_plugins = virtual zlib
 
 ##
 ## Mailbox handling optimizations
 ##
 
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+mailbox_list_index = yes
+
 # The minimum number of mails in a mailbox before updates are done to cache
 # file. This allows optimizing Dovecot's behavior to do less disk writes at
 # the cost of more disk reads.
 #mail_cache_min_mail_count = 0
 
 # When IDLE command is running, mailbox is checked once in a while to see if
 # there are any new mails or other changes. This setting defines the minimum
 # time to wait between those checks. Dovecot can also use dnotify, inotify and
 # kqueue to find out immediately when changes occur.
 #mailbox_idle_check_interval = 30 secs
 
 # Save mails with CR+LF instead of plain LF. This makes sending those mails
 # take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
 # But it also creates a bit more disk I/O which may just make it slower.
 # Also note that if other software reads the mboxes/maildirs, they may handle
 # the extra CRs wrong and cause problems.
 #mail_save_crlf = no
 
 # Max number of mails to keep open and prefetch to memory. This only works with
 # some mailbox formats and/or operating systems.
@@ -245,40 +242,44 @@ mail_plugins = virtual
 # Enabling this option makes Dovecot return only entries which are directories.
 # This is done by stat()ing each entry, so it causes more disk I/O.
 # (For systems setting struct dirent->d_type, this check is free and it's
 # done always regardless of this setting)
 #maildir_stat_dirs = no
 
 # When copying a message, do it with hard links whenever possible. This makes
 # the performance much better, and it's unlikely to have any side effects.
 #maildir_copy_with_hardlinks = yes
 
 # Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
 # when its mtime changes unexpectedly or when we can't find the mail otherwise.
 #maildir_very_dirty_syncs = no
 
 # If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
 # getting the mail's physical size, except when recalculating Maildir++ quota.
 # This can be useful in systems where a lot of the Maildir filenames have a
 # broken size. The performance hit for enabling this is very small.
 #maildir_broken_filename_sizes = no
 
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
 ##
 ## mbox-specific settings
 ##
 
 # Which locking methods to use for locking mbox. There are four available:
 #  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
 #           solution. If you want to use /var/mail/ like directory, the users
 #           will need write access to that directory.
 #  dotlock_try: Same as dotlock, but if it fails because of permissions or
 #               because there isn't enough disk space, just skip it.
 #  fcntl  : Use this if possible. Works with NFS too if lockd is used.
 #  flock  : May not exist in all systems. Doesn't work with NFS.
 #  lockf  : May not exist in all systems. Doesn't work with NFS.
 #
 # You can use multiple locking methods; if you do the order they're declared
 # in is important to avoid deadlocks if other MTAs/MUAs are using multiple
 # locking methods as well. Some operating systems don't allow using some of
 # them simultaneously.
 #
 # The Debian value for mbox_write_locks differs from upstream Dovecot. It is
diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
index e77b557..f1c2a16 100644
--- a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
+++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf
@@ -22,41 +22,47 @@ pid = /var/run/stunnel4/stunnel4.pid
 debug = 4
 ;output = /var/log/stunnel4/stunnel.log
 
 ; **************************************************************************
 ; * Service defaults may also be specified in individual service sections  *
 ; **************************************************************************
 
 ; Certificate/key is needed in server mode and optional in client mode
 ;cert = /etc/stunnel/mail.pem
 ;key = /etc/stunnel/mail.pem
 client = yes
 socket = a:SO_BINDTODEVICE=lo
 
 ; Some performance tunings
 socket = l:TCP_NODELAY=1
 socket = r:TCP_NODELAY=1
 
 ; Authentication stuff needs to be configured to prevent MITM attacks
 verify = 4
 
-; Disable support for insecure SSLv2 protocol
+; Disable support for insecure protocols
 options = NO_SSLv2
-; Workaround for Eudora bug
-;options = DONT_INSERT_EMPTY_FRAGMENTS
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
 
 ; These options provide additional security at some performance degradation
-;options = SINGLE_ECDH_USE
-;options = SINGLE_DH_USE
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
 
 ; **************************************************************************
 ; * Service definitions (remove all services for inetd mode)               *
 ; **************************************************************************
 
 [imaps]
-accept  = localhost:993
+accept  = localhost:143
 connect = imap.fripost.org:993
 CAfile  = /etc/stunnel/certs/imap.fripost.org.pem
-options = NO_SSLv3
-ciphers = ECDH+AES:DH+AES
+
+[ldaps]
+accept  = localhost:389
+connect = ldap.fripost.org:636
+CAfile  = /etc/stunnel/certs/ldap.fripost.org.pem
 
 ; vim:ft=dosini
diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml
index 41bb7a3..2ddba96 100644
--- a/roles/IMAP-proxy/tasks/main.yml
+++ b/roles/IMAP-proxy/tasks/main.yml
@@ -56,34 +56,43 @@
 - name: Create /etc/stunnel/certs
   file: path=/etc/stunnel/certs
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Copy Dovecot's X.509 certificate
   # XXX: it's unfortunate that we have to store the whole CA chain...
   # for some reason stunnel's level 4 "verify" (CA chain and only verify
   # peer certificate) doesn't always work:
   # https://www.stunnel.org/pipermail/stunnel-users/2013-July/004249.html
   assemble: src=certs/dovecot
             remote_src=no
             dest=/etc/stunnel/certs/imap.fripost.org.pem
             owner=root group=root
             mode=0644
   register: r1
   notify:
     - Restart stunnel
 
+- name: Copy slapd's X.509 certificate
+  copy: src=certs/ldap/ldap.fripost.org.pem
+        dest=/etc/stunnel/certs/ldap.fripost.org.pem
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart stunnel
+
 - name: Configure stunnel
   copy: src=etc/stunnel/stunnel.conf
         dest=/etc/stunnel/stunnel.conf
         owner=root group=root
         mode=0644
-  register: r2
+  register: r3
   notify:
     - Restart stunnel
 
 - name: Start stunnel
   service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 5bff410..8251841 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -30,40 +30,41 @@ server {
         root          /usr/share/roundcube/skins/default/images;
         log_not_found off;
         access_log    off;
         expires       max;
     }
 
     location = /robots.txt {
         allow         all;
         log_not_found off;
         access_log    off;
     }
 
     # Deny all attempts to access hidden files, or files under hidden
     # directories.
     location ~ /\. { return 404; }
 
     access_log  /var/log/nginx/roundcube.access.log;
     error_log   /var/log/nginx/roundcube.error.log info;
 
     index index.php;
+    client_max_body_size 64m;
     location = /index.php {
         include fastcgi/php;
         include fastcgi/php-ssl;
 
         # From /var/lib/roundcube/.htaccess
         fastcgi_param PHP_VALUE "upload_max_filesize=25M
                                  post_max_size=30M
                                  memory_limit=64M
                                  session.gc_maxlifetime=21600
                                  session.gc_divisor=500
                                  session.gc_probability=1";
         fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/usr/share/roundcube:/etc/roundcube:/var/log/roundcube:/usr/share/php:/usr/share/javascript:/usr/share/tinymce:/usr/share/misc/magic
                                        upload_tmp_dir=$document_root/temp";
     }
 
     # Security rules
     location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
         return 404;
     }
     location ~ ^/(bin|SQL)/ {
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 558f062..ebe93c8 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -16,41 +16,41 @@
 - name: Copy fripost's logo
   copy: src=var/lib/roundcube/skins/logo_webmail.png
         dest=/var/lib/roundcube/skins/logo_webmail.png
         owner=root group=root
         mode=0644
 
 - name: Configure Roundcube
   lineinfile: dest=/etc/roundcube/main.inc.php
               "regexp=^\\s*\\$rcmail_config\\['{{ item.var }}'\\]\\s*="
               "line=$rcmail_config['{{ item.var }}'] = {{ item.value }};"
               owner=root group=www-data
               mode=0640
   with_items:
     # Logging/Debugging
     - { var: smtp_log,               value: "FALSE" }
     # IMAP
     - { var: default_host,           value: "'localhost'" }
     - { var: default_port,           value: "143"         }
     - { var: imap_auth_type,         value: "'plain'"     }
     - { var: imap_cache,             value: "null"        }
-    - { var: messages_cache,         value: "FALSE"       }
+    - { var: messages_cache,         value: "null"        }
     # SMTP
     - { var: smtp_server,            value: "'localhost'" }
     - { var: smtp_port,              value: "2580"        }
     # System
     - { var: force_https,            value: "TRUE"                     }
     - { var: login_autocomplete,     value: "2"                        }
     - { var: skin_logo,              value: "'skins/logo_webmail.png'" }
     - { var: username_domain,        value: "'fripost.org'"            }
     - { var: product_name,           value: "'Fripost'"                }
     # Plugins
     - { var: plugins,                value: "array('additional_message_headers','managesieve','password')" }
     # User Interface
     - { var: skin,                   value: "'classic'" }
     - { var: language,               value: "'sv_SE'"   }
     - { var: create_default_folders, value: "TRUE"      }
     # User Preferences
     - { var: htmleditor,             value: "TRUE"  }
     - { var: skip_deleted,           value: "TRUE"  }
     - { var: check_all_folders,      value: "FALSE" }
 
diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2
index 048302a..9d535c6 100644
--- a/roles/webmail/templates/etc/postfix/main.cf.j2
+++ b/roles/webmail/templates/etc/postfix/main.cf.j2
@@ -74,31 +74,32 @@ strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 # UCE control
 unknown_client_reject_code = 554
 
 smtpd_client_restrictions =
     permit_mynetworks
     reject
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     permit_mynetworks
     reject_non_fqdn_helo_hostname
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
 
+smtpd_relay_restrictions =
+    permit_mynetworks
+    reject
+
 smtpd_recipient_restrictions =
-    # RFC requirements
     reject_non_fqdn_recipient
     reject_unknown_recipient_domain
-    permit_mynetworks
-    reject
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
 # vim: set filetype=pfmain :