diff options
-rw-r--r-- | roles/common/files/etc/systemd/system/stunnel4@.service | 5 | ||||
-rw-r--r-- | roles/common/tasks/stunnel.yml | 12 | ||||
-rw-r--r-- | roles/webmail/files/etc/roundcube/plugins/password/config.inc.php | 2 | ||||
-rw-r--r-- | roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket | 11 | ||||
-rw-r--r-- | roles/webmail/handlers/main.yml | 6 | ||||
-rw-r--r-- | roles/webmail/tasks/ldap.yml | 32 | ||||
-rw-r--r-- | roles/webmail/templates/etc/stunnel/ldap.conf.j2 (renamed from roles/webmail/files/etc/stunnel/ldap.conf) | 30 |
7 files changed, 53 insertions, 45 deletions
diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service index 1a30599..4d69702 100644 --- a/roles/common/files/etc/systemd/system/stunnel4@.service +++ b/roles/common/files/etc/systemd/system/stunnel4@.service @@ -1,10 +1,15 @@ [Unit] Description=SSL tunnel for network daemons (instance %i) +Documentation=man:stunnel4(8) After=network.target nss-lookup.target PartOf=stunnel4.service ReloadPropagatedFrom=stunnel4.service [Service] +DynamicUser=yes +; force dynamic user/group allocation (stunnel4 user exists already) +User=_stunnel4-%i +Group=_stunnel4-%i ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf ExecReload=/bin/kill -HUP ${MAINPID} KillSignal=SIGINT diff --git a/roles/common/tasks/stunnel.yml b/roles/common/tasks/stunnel.yml index 7cb8823..1522f1f 100644 --- a/roles/common/tasks/stunnel.yml +++ b/roles/common/tasks/stunnel.yml @@ -1,14 +1,7 @@ - name: Install stunnel4 apt: pkg=stunnel4 -- name: Set 'ENABLED=0' in /etc/default/stunnel4 - lineinfile: dest=/etc/default/stunnel4 - regexp='^(\s*#)?\s*ENABLED=' - line='ENABLED=0' - owner=root group=root - mode=0644 - -- name: Copy stunnel4 service file +- name: Copy stunnel4 service files copy: src=etc/systemd/system/{{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root @@ -18,3 +11,6 @@ with_items: - stunnel4.service - stunnel4@.service + +- name: Disable stunnel4 service + service: name=stunnel4.service enabled=false diff --git a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php index c32f58e..e53b753 100644 --- a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php +++ b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php @@ -122,7 +122,7 @@ $config['password_saslpasswd_args'] = ''; // You can provide one or several hosts in an array in which case the hosts are tried from left to right. // Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com'); // Default: 'localhost' -$config['password_ldap_host'] = 'localhost'; +$config['password_ldap_host'] = '127.0.0.1'; // LDAP server port to connect to // Default: '389' diff --git a/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket new file mode 100644 index 0000000..72aa82c --- /dev/null +++ b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket @@ -0,0 +1,11 @@ +[Unit] +Description=SSL tunnel for network daemons (instance %i) +Documentation=man:stunnel4(8) + +[Socket] +BindToDevice=lo +ListenStream=127.0.0.1:389 +NoDelay=yes + +[Install] +WantedBy=sockets.target diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml index 0515c8b..5b730d7 100644 --- a/roles/webmail/handlers/main.yml +++ b/roles/webmail/handlers/main.yml @@ -7,3 +7,9 @@ - name: Restart Nginx service: name=nginx state=restarted + +- name: Stop stunnel4@ldap.service + service: name=stunnel4@ldap.service state=stopped + +- name: Restart stunnel4@ldap.socket + service: name=stunnel4@ldap.socket state=restarted diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml index 4abbd3a..f0b461c 100644 --- a/roles/webmail/tasks/ldap.yml +++ b/roles/webmail/tasks/ldap.yml @@ -1,3 +1,12 @@ +- name: Copy stunnel4@ldap.socket + copy: src=etc/systemd/system/stunnel4@ldap.socket + dest=/etc/systemd/system/stunnel4@ldap.socket + owner=root group=root + mode=0644 + notify: + - systemctl daemon-reload + - Restart stunnel4@ldap.socket + - name: Create /etc/stunnel/certs file: path=/etc/stunnel/certs state=directory @@ -9,22 +18,19 @@ dest=/etc/stunnel/certs/ldap.pem owner=root group=root mode=0644 - register: r1 notify: - - Restart stunnel@ldap + - Stop stunnel4@ldap.service - name: Configure stunnel - copy: src=etc/stunnel/ldap.conf - dest=/etc/stunnel/ldap.conf - owner=root group=root - mode=0644 - register: r2 + template: src=etc/stunnel/ldap.conf.j2 + dest=/etc/stunnel/ldap.conf + owner=root group=root + mode=0644 notify: - - Restart stunnel@ldap + - Stop stunnel4@ldap.service -- name: Enable stunnel@ldap - service: name=stunnel4@ldap enabled=yes +- name: Disable stunnel4@ldap.service + service: name=stunnel4@ldap.service enabled=false -- name: Start stunnel@ldap - service: name=stunnel4@ldap state=started - when: not (r1.changed or r2.changed) +- name: Start stunnel4@ldap.socket socket + service: name=stunnel4@ldap.socket state=started enabled=true diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/templates/etc/stunnel/ldap.conf.j2 index 1a60a4f..6fce2bc 100644 --- a/roles/webmail/files/etc/stunnel/ldap.conf +++ b/roles/webmail/templates/etc/stunnel/ldap.conf.j2 @@ -2,11 +2,6 @@ ; * Global options * ; ************************************************************************** -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail pid = foreground = yes @@ -17,31 +12,18 @@ debug = 4 ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** -; Certificate/key is needed in server mode and optional in client mode -;cert = /etc/stunnel/mail.pem -;key = /etc/stunnel/mail.pem client = yes -socket = a:SO_BINDTODEVICE=lo ; Some performance tunings -socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks -verify = 4 +verifyPeer = yes ; Disable support for insecure protocols -;options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - +sslVersionMin = TLSv1.2 options = NO_COMPRESSION -; These options provide additional security at some performance degradation -;options = SINGLE_ECDH_USE -;options = SINGLE_DH_USE - ; Select permitted SSL ciphers ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL @@ -50,8 +32,10 @@ ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL ; ************************************************************************** [ldaps] -accept = localhost:389 -connect = ldap.fripost.org:636 -CAfile = /etc/stunnel/certs/ldap.pem +; dummy address (socket-activated) +accept = 127.0.0.1:0 +connect = {{ ipsec[ hostvars[groups.LDAP_provider[0]].inventory_hostname_short ] }}:636 +checkHost = ldap.fripost.org +CAfile = /etc/stunnel/certs/ldap.pem ; vim:ft=dosini |