Use stunnel to secure the connection from the webmail to ldap.fripost.org.

We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
author: Guilhem Moulin <guilhem@fripost.org> 2016-06-05 17:30:00 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-06-05 17:33:25 +0200
commit: 17d7427e0bc5e61ee10e28cbc5cba5b8a7566d58 (patch)
tree: 00dc894e22ab7221e908faeac98095835b0a0782 /roles
parent: 57e40efc54c230566fd5f6bd10d25692709909b7 (diff)
5 files changed, 99 insertions, 0 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 04681bd..e419bf3 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -15,6 +15,7 @@
 
 - include: stunnel.yml
   tags: stunnel
+  when: "'webmail' in group_names and ('LDAP-provider' not in group_names or 'out' not in group_names)"
 - include: samhain.yml
   tags: samhain
 - include: auditd.yml
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf
new file mode 100644
index 0000000..1149bce
--- /dev/null
+++ b/roles/webmail/files/etc/stunnel/ldap.conf
@@ -0,0 +1,57 @@
+; **************************************************************************
+; * Global options                                                         *
+; **************************************************************************
+
+; setuid()/setgid() to the specified user/group in daemon mode
+setuid = stunnel4
+setgid = stunnel4
+
+; PID is created inside the chroot jail
+pid =
+foreground = yes
+
+; Only log messages at severity warning (4) and higher
+debug = 4
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections  *
+; **************************************************************************
+
+; Certificate/key is needed in server mode and optional in client mode
+;cert = /etc/stunnel/mail.pem
+;key = /etc/stunnel/mail.pem
+client = yes
+socket = a:SO_BINDTODEVICE=lo
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+
+; Prevent MITM attacks
+verify = 4
+
+; Disable support for insecure protocols
+options = NO_SSLv2
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
+
+options = NO_COMPRESSION
+
+; These options provide additional security at some performance degradation
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+; Select permitted SSL ciphers
+ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+
+; **************************************************************************
+; * Service definitions (remove all services for inetd mode)               *
+; **************************************************************************
+
+[ldaps]
+accept  = localhost:389
+connect = ldap.fripost.org:636
+CAfile  = /etc/stunnel/certs/ldap.pem
+
+; vim:ft=dosini
diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml
index 6009de0..17a0dc4 100644
--- a/roles/webmail/handlers/main.yml
+++ b/roles/webmail/handlers/main.yml
@@ -2,5 +2,8 @@
 - name: Restart stunnel@smtp
   service: name=stunnel4@smtp state=restarted
 
+- name: Restart stunnel@ldap
+  service: name=stunnel4@ldap state=restarted
+
 - name: Restart Nginx
   service: name=nginx state=restarted
diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml
new file mode 100644
index 0000000..6df3324
--- /dev/null
+++ b/roles/webmail/tasks/ldap.yml
@@ -0,0 +1,32 @@
+- name: Create /etc/stunnel/certs
+  file: path=/etc/stunnel/certs
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy the ldap's X.509 certificate
+  copy: src=certs/ldap/ldap.fripost.org.pem
+        dest=/etc/stunnel/certs/ldap.pem
+        owner=root group=root
+        mode=0644
+  register: r1
+  notify:
+    - Restart stunnel@ldap
+
+- name: Configure stunnel
+  copy: src=etc/stunnel/ldap.conf
+        dest=/etc/stunnel/ldap.conf
+        owner=root group=root
+        mode=0644
+  register: r2
+  notify:
+    - Restart stunnel@ldap
+
+- name: Enable stunnel@ldap
+  service: name=stunnel4@ldap enabled=yes
+
+- name: Start stunnel@ldap
+  service: name=stunnel4@ldap state=started
+  when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers
diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml
index 8ee50bd..9c40a34 100644
--- a/roles/webmail/tasks/main.yml
+++ b/roles/webmail/tasks/main.yml
@@ -3,6 +3,12 @@
   tags:
     - postfix
     - mail
+    - stunnel
+- include: ldap.yml
+  when: "'LDAP-provider' not in group_names"
+  tags:
+    - ldap
+    - stunnel
 - include: roundcube.yml
   tags:
     - roundcube
author	Guilhem Moulin <guilhem@fripost.org>	2016-06-05 17:30:00 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-06-05 17:33:25 +0200
commit	17d7427e0bc5e61ee10e28cbc5cba5b8a7566d58 (patch)
tree	00dc894e22ab7221e908faeac98095835b0a0782 /roles
parent	57e40efc54c230566fd5f6bd10d25692709909b7 (diff)