diff options
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 1 | ||||
| -rw-r--r-- | roles/common-web/files/etc/nginx/ssl/config | 12 | ||||
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/samhain.yml | 7 | ||||
| -rw-r--r-- | roles/lists/handlers/main.yml | 3 | ||||
| -rw-r--r-- | roles/webmail/tasks/roundcube.yml | 2 |
6 files changed, 16 insertions, 11 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index b15b907..e234d73 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -72,7 +72,6 @@ smtp_bind_address = 172.16.0.1 smtpd_tls_security_level = encrypt smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key -smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config index 6f0546b..7deef29 100644 --- a/roles/common-web/files/etc/nginx/ssl/config +++ b/roles/common-web/files/etc/nginx/ssl/config @@ -1,18 +1,18 @@ ssl on; # See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization -keepalive_timeout 75 75; -ssl_session_timeout 5m; -ssl_session_cache shared:SSL:5m; +keepalive_timeout 75 75; +ssl_session_timeout 5m; +ssl_session_cache shared:SSL:5m; # XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST # attack. Sadly as of 2013 many clients don't support TLSv1.2, though. # The alternative would be to reject BEAST-vulnerable ciphers from TLSv1 # in favor of RC4, but that's not satisfactory either since RC4 has # other weaknesses. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; -ssl_prefer_server_ciphers on; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; +ssl_prefer_server_ciphers on; # Strict Transport Security header for enhanced security. See # http://www.chromium.org/sts. diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index 56c8300..7870626 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -55,6 +55,6 @@ - name: Auto-deactivate the dedicated interface for IPSec file: src=../if-up.d/ipsec dest=/etc/network/if-down.d/ipsec - owner=root group=root state=link + owner=root group=root state=link force=yes - meta: flush_handlers diff --git a/roles/common/tasks/samhain.yml b/roles/common/tasks/samhain.yml index 0d911a5..10b1f46 100644 --- a/roles/common/tasks/samhain.yml +++ b/roles/common/tasks/samhain.yml @@ -5,8 +5,11 @@ - auditd # XXX: Doesn't work out of the box, see #660197. # Every once in a while, or after a major upgrade, you may want to - # update Samhain's database (to avoid being flooded at the next - # reboot): + # update Samhain's database: + # + # sudo samhain -t update --foreground + # + # To update the database without sending mails: # # sudo samhain -t update --foreground -m none diff --git a/roles/lists/handlers/main.yml b/roles/lists/handlers/main.yml index c27834e..308f708 100644 --- a/roles/lists/handlers/main.yml +++ b/roles/lists/handlers/main.yml @@ -4,3 +4,6 @@ - name: Reload Postfix service: name=postfix state=reloaded + +- name: Restart Nginx + service: name=nginx state=restarted diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 8e48208..477943f 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -79,7 +79,7 @@ file: src=../sites-available/roundcube dest=/etc/nginx/sites-enabled/roundcube owner=root group=root - state=link + state=link force=yes notify: - Restart Nginx |