diff options
| -rw-r--r-- | roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf | 4 | ||||
| -rw-r--r-- | roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext | 2 | ||||
| -rw-r--r-- | roles/IMAP-proxy/files/etc/stunnel/stunnel.conf | 57 | ||||
| -rw-r--r-- | roles/IMAP-proxy/handlers/main.yml | 3 | ||||
| -rw-r--r-- | roles/IMAP-proxy/tasks/main.yml | 46 | ||||
| -rw-r--r-- | roles/IMAP/tasks/imap.yml | 10 |
6 files changed, 119 insertions, 3 deletions
diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf index 242762e..ea39a32 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf @@ -1,17 +1,17 @@ # Smart IMAP proxying with imapc storage # # http://dovecot.org/pipermail/dovecot/2011-January/056975.html # http://wiki2.dovecot.org/HowTo/ImapcProxy # http://wiki2.dovecot.org/Migration/Dsync -imapc_host = imap.fripost.org -imapc_port = 143 +imapc_host = localhost +imapc_port = 993 # Read multiple mails in parallel, improves performance mail_prefetch_count = 20 # The list of valid features can be found there # http://hg.dovecot.org/dovecot-2.2/file/tip/src/lib-storage/index/imapc/imapc-settings.c # (in the struct 'imapc_feature_list imapc_feature_list') imapc_features = rfc822.size #imapc_features = rfc822.size fetch-headers diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext index e292092..7ab096f 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext @@ -1,17 +1,17 @@ # Authentication via remote IMAP server. Included from auth.conf. # # <doc/wiki/PasswordDatabase.IMAP.txt> passdb { driver = imap - args = host=imap.fripost.org port=143 + args = host=localhost port=993 default_fields = userdb_imapc_password=%w } # "prefetch" user database means that the passdb already provided the # needed information and there's no need to do a separate userdb lookup. # <doc/wiki/UserDatabase.Prefetch.txt> userdb { driver = prefetch default_fields = home=/home/imapproxy/%d/%n } diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf new file mode 100644 index 0000000..026bc30 --- /dev/null +++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf @@ -0,0 +1,57 @@ +; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012 +; Some options used here may be inadequate for your particular configuration +; This sample file does *not* represent stunnel.conf defaults +; Please consult the manual for detailed description of available options + +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; A copy of some devices and system files is needed within the chroot jail +; Chroot conflicts with configuration file reload and many other features +; Remember also to update the logrotate configuration. +;chroot = /var/lib/stunnel4/ +; Chroot jail can be escaped if setuid option is not used +setuid = stunnel4 +setgid = stunnel4 + +; PID is created inside the chroot jail +pid = /var/run/stunnel4/stunnel4.pid + +; Debugging stuff (may useful for troubleshooting) +debug = 4 +;output = /var/log/stunnel4/stunnel.log + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Certificate/key is needed in server mode and optional in client mode +;cert = /etc/stunnel/mail.pem +;key = /etc/stunnel/mail.pem +client = yes +socket = a:SO_BINDTODEVICE=lo + +; Authentication stuff needs to be configured to prevent MITM attacks +verify = 4 + +; Disable support for insecure SSLv2 protocol +options = NO_SSLv2 +; Workaround for Eudora bug +;options = DONT_INSERT_EMPTY_FRAGMENTS + +; These options provide additional security at some performance degradation +;options = SINGLE_ECDH_USE +;options = SINGLE_DH_USE + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[imaps] +accept = localhost:993 +connect = imap.fripost.org:993 +CAfile = /etc/stunnel/certs/imap.fripost.org.pem +ciphers = ECDH+AES:DH+AES + +; vim:ft=dosini diff --git a/roles/IMAP-proxy/handlers/main.yml b/roles/IMAP-proxy/handlers/main.yml index 45f817d..5249a7e 100644 --- a/roles/IMAP-proxy/handlers/main.yml +++ b/roles/IMAP-proxy/handlers/main.yml @@ -1,3 +1,6 @@ --- +- name: Restart stunnel + service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted + - name: Restart Dovecot service: name=dovecot state=restarted diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml index bb6e5be..73a0dee 100644 --- a/roles/IMAP-proxy/tasks/main.yml +++ b/roles/IMAP-proxy/tasks/main.yml @@ -23,20 +23,66 @@ dest=/etc/dovecot/conf.d/{{ item }} owner=root group=root mode=0644 register: r with_items: - 10-auth.conf - 10-logging.conf - 10-mail.conf - 10-master.conf - 15-mailboxes.conf - 20-imapc.conf - auth-imap.conf.ext notify: - Restart Dovecot - name: Start Dovecot service: name=dovecot state=started when: not r.changed - meta: flush_handlers + + +- name: Install stunnel + apt: pkg=stunnel4 + +- name: Auto-enable stunnel + lineinfile: dest=/etc/default/stunnel4 + regexp='^(\s*#)?\s*ENABLED=' + line='ENABLED=1' + owner=root group=root + mode=0644 + +- name: Create /etc/stunnel/certs + file: path=/etc/stunnel/certs + state=directory + owner=root group=root + mode=0755 + +- name: Copy Dovecot's X.509 certificate + # XXX: it's unfortunate that we have to store the whole CA chain... + # for some reason stunnel's level 4 "verify" (CA chain and only verify + # peer certificate) doesn't always work: + # https://www.stunnel.org/pipermail/stunnel-users/2013-July/004249.html + assemble: src=certs/dovecot + remote_src=no + dest=/etc/stunnel/certs/imap.fripost.org.pem + owner=root group=root + mode=0644 + register: r1 + notify: + - Restart stunnel + +- name: Configure stunnel + copy: src=etc/stunnel/stunnel.conf + dest=/etc/stunnel/stunnel.conf + owner=root group=root + mode=0644 + register: r2 + notify: + - Restart stunnel + +- name: Start stunnel + service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started + when: not (r1.changed or r2.changed) + +- meta: flush_handlers diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index 3e93c53..be451ef 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -65,40 +65,50 @@ - name: Create directory /etc/dovecot/ssl file: path=/etc/dovecot/ssl state=directory owner=root group=root mode=0755 - name: Generate a private key and a X.509 certificate for Dovecot command: genkeypair.sh x509 --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem --privkey=/etc/dovecot/ssl/imap.fripost.org.key --dns=imap.fripost.org -t rsa -b 4096 -h sha512 register: r1 changed_when: r1.rc == 0 failed_when: r1.rc > 1 notify: - Restart Dovecot tags: - genkey +- name: Fetch Dovecot's X.509 certificate + # Ensure we don't fetch private data + sudo: False + fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem + dest=certs/dovecot/ + fail_on_missing=yes + flat=yes + tags: + - genkey + - name: Configure Dovecot copy: src=etc/dovecot/{{ item }} dest=/etc/dovecot/{{ item }} owner=root group=root mode=0644 register: r2 with_items: - conf.d/10-auth.conf - conf.d/10-logging.conf - conf.d/10-mail.conf - conf.d/10-master.conf - conf.d/10-ssl.conf - conf.d/15-mailboxes.conf - conf.d/20-imap.conf - conf.d/20-lmtp.conf - conf.d/90-plugin.conf - conf.d/90-sieve.conf - conf.d/auth-ldap.conf.ext - dovecot-ldap.conf.ext - dovecot-ldap-userdb.conf.ext |