diff options
| -rw-r--r-- | roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf | 4 | ||||
| -rw-r--r-- | roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext | 2 | ||||
| -rw-r--r-- | roles/IMAP-proxy/files/etc/stunnel/stunnel.conf | 57 | ||||
| -rw-r--r-- | roles/IMAP-proxy/handlers/main.yml | 3 | ||||
| -rw-r--r-- | roles/IMAP-proxy/tasks/main.yml | 46 | ||||
| -rw-r--r-- | roles/IMAP/tasks/imap.yml | 10 |
6 files changed, 119 insertions, 3 deletions
diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf index 242762e..ea39a32 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/20-imapc.conf @@ -4,8 +4,8 @@ # http://wiki2.dovecot.org/HowTo/ImapcProxy # http://wiki2.dovecot.org/Migration/Dsync -imapc_host = imap.fripost.org -imapc_port = 143 +imapc_host = localhost +imapc_port = 993 # Read multiple mails in parallel, improves performance mail_prefetch_count = 20 diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext index e292092..7ab096f 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/auth-imap.conf.ext @@ -4,7 +4,7 @@ passdb { driver = imap - args = host=imap.fripost.org port=143 + args = host=localhost port=993 default_fields = userdb_imapc_password=%w } diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf new file mode 100644 index 0000000..026bc30 --- /dev/null +++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf @@ -0,0 +1,57 @@ +; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012 +; Some options used here may be inadequate for your particular configuration +; This sample file does *not* represent stunnel.conf defaults +; Please consult the manual for detailed description of available options + +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; A copy of some devices and system files is needed within the chroot jail +; Chroot conflicts with configuration file reload and many other features +; Remember also to update the logrotate configuration. +;chroot = /var/lib/stunnel4/ +; Chroot jail can be escaped if setuid option is not used +setuid = stunnel4 +setgid = stunnel4 + +; PID is created inside the chroot jail +pid = /var/run/stunnel4/stunnel4.pid + +; Debugging stuff (may useful for troubleshooting) +debug = 4 +;output = /var/log/stunnel4/stunnel.log + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Certificate/key is needed in server mode and optional in client mode +;cert = /etc/stunnel/mail.pem +;key = /etc/stunnel/mail.pem +client = yes +socket = a:SO_BINDTODEVICE=lo + +; Authentication stuff needs to be configured to prevent MITM attacks +verify = 4 + +; Disable support for insecure SSLv2 protocol +options = NO_SSLv2 +; Workaround for Eudora bug +;options = DONT_INSERT_EMPTY_FRAGMENTS + +; These options provide additional security at some performance degradation +;options = SINGLE_ECDH_USE +;options = SINGLE_DH_USE + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[imaps] +accept = localhost:993 +connect = imap.fripost.org:993 +CAfile = /etc/stunnel/certs/imap.fripost.org.pem +ciphers = ECDH+AES:DH+AES + +; vim:ft=dosini diff --git a/roles/IMAP-proxy/handlers/main.yml b/roles/IMAP-proxy/handlers/main.yml index 45f817d..5249a7e 100644 --- a/roles/IMAP-proxy/handlers/main.yml +++ b/roles/IMAP-proxy/handlers/main.yml @@ -1,3 +1,6 @@ --- +- name: Restart stunnel + service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted + - name: Restart Dovecot service: name=dovecot state=restarted diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml index bb6e5be..73a0dee 100644 --- a/roles/IMAP-proxy/tasks/main.yml +++ b/roles/IMAP-proxy/tasks/main.yml @@ -40,3 +40,49 @@ when: not r.changed - meta: flush_handlers + + +- name: Install stunnel + apt: pkg=stunnel4 + +- name: Auto-enable stunnel + lineinfile: dest=/etc/default/stunnel4 + regexp='^(\s*#)?\s*ENABLED=' + line='ENABLED=1' + owner=root group=root + mode=0644 + +- name: Create /etc/stunnel/certs + file: path=/etc/stunnel/certs + state=directory + owner=root group=root + mode=0755 + +- name: Copy Dovecot's X.509 certificate + # XXX: it's unfortunate that we have to store the whole CA chain... + # for some reason stunnel's level 4 "verify" (CA chain and only verify + # peer certificate) doesn't always work: + # https://www.stunnel.org/pipermail/stunnel-users/2013-July/004249.html + assemble: src=certs/dovecot + remote_src=no + dest=/etc/stunnel/certs/imap.fripost.org.pem + owner=root group=root + mode=0644 + register: r1 + notify: + - Restart stunnel + +- name: Configure stunnel + copy: src=etc/stunnel/stunnel.conf + dest=/etc/stunnel/stunnel.conf + owner=root group=root + mode=0644 + register: r2 + notify: + - Restart stunnel + +- name: Start stunnel + service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started + when: not (r1.changed or r2.changed) + +- meta: flush_handlers diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index 3e93c53..be451ef 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -82,6 +82,16 @@ tags: - genkey +- name: Fetch Dovecot's X.509 certificate + # Ensure we don't fetch private data + sudo: False + fetch: src=/etc/dovecot/ssl/imap.fripost.org.pem + dest=certs/dovecot/ + fail_on_missing=yes + flat=yes + tags: + - genkey + - name: Configure Dovecot copy: src=etc/dovecot/{{ item }} dest=/etc/dovecot/{{ item }} |