diff options
Diffstat (limited to 'roles/IMAP-proxy/files')
| -rw-r--r-- | roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf | 21 | ||||
| -rw-r--r-- | roles/IMAP-proxy/files/etc/stunnel/stunnel.conf | 22 |
2 files changed, 25 insertions, 18 deletions
diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf index 9c50531..e2225c3 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf @@ -129,105 +129,102 @@ mail_gid = imapproxy #mail_attribute_dict = ## ## Mail processes ## # Don't use mmap() at all. This is required if you store indexes to shared # filesystems (NFS or clustered filesystem). #mmap_disable = no # Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL # since version 3, so this should be safe to use nowadays by default. #dotlock_use_excl = yes # When to use fsync() or fdatasync() calls: # optimized (default): Whenever necessary to avoid losing important data # always: Useful with e.g. NFS when write()s are delayed # never: Never use it (best performance, but crashes can lose data) #mail_fsync = optimized -# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches -# whenever needed. If you're using only a single mail server this isn't needed. -#mail_nfs_storage = no -# Mail index files also exist in NFS. Setting this to yes requires -# mmap_disable=yes and fsync_disable=no. -#mail_nfs_index = no - # Locking method for index files. Alternatives are fcntl, flock and dotlock. # Dotlocking uses some tricks which may create more disk I/O than other locking # methods. NFS users: flock doesn't work, remember to change mmap_disable. #lock_method = fcntl # Directory in which LDA/LMTP temporarily stores incoming mails >128 kB. #mail_temp_dir = /tmp # Valid UID range for users, defaults to 500 and above. This is mostly # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. -first_valid_uid = 1 +#first_valid_uid = 500 #last_valid_uid = 0 # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user # belongs to supplementary groups with non-valid GIDs, those groups are # not set. -first_valid_gid = 1 +#first_valid_gid = 1 #last_valid_gid = 0 # Maximum allowed length for mail keyword name. It's only forced when trying # to create new keywords. #mail_max_keyword_length = 50 # ':' separated list of directories under which chrooting is allowed for mail # processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). # This setting doesn't affect login_chroot, mail_chroot or auth chroot # settings. If this setting is empty, "/./" in home dirs are ignored. # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. <doc/wiki/Chrooting.txt> #valid_chroot_dirs = # Default chroot directory for mail processes. This can be overridden for # specific users in user database by giving /./ in user's home directory # (eg. /home/./user chroots into /home). Note that usually there is no real # need to do chrooting, Dovecot doesn't allow users to access files outside # their mail directory anyway. If your home directories are prefixed with # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt> #mail_chroot = # UNIX socket path to master authentication server to find users. # This is used by imap (for shared users) and lda. #auth_socket_path = /var/run/dovecot/auth-userdb # Directory where to look up mail plugins. #mail_plugin_dir = /usr/lib/dovecot/modules # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. -mail_plugins = virtual +mail_plugins = virtual zlib ## ## Mailbox handling optimizations ## +# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are +# also required for IMAP NOTIFY extension to be enabled. +mailbox_list_index = yes + # The minimum number of mails in a mailbox before updates are done to cache # file. This allows optimizing Dovecot's behavior to do less disk writes at # the cost of more disk reads. #mail_cache_min_mail_count = 0 # When IDLE command is running, mailbox is checked once in a while to see if # there are any new mails or other changes. This setting defines the minimum # time to wait between those checks. Dovecot can also use dnotify, inotify and # kqueue to find out immediately when changes occur. #mailbox_idle_check_interval = 30 secs # Save mails with CR+LF instead of plain LF. This makes sending those mails # take less CPU, especially with sendfile() syscall with Linux and FreeBSD. # But it also creates a bit more disk I/O which may just make it slower. # Also note that if other software reads the mboxes/maildirs, they may handle # the extra CRs wrong and cause problems. #mail_save_crlf = no # Max number of mails to keep open and prefetch to memory. This only works with # some mailbox formats and/or operating systems. @@ -245,40 +242,44 @@ mail_plugins = virtual # Enabling this option makes Dovecot return only entries which are directories. # This is done by stat()ing each entry, so it causes more disk I/O. # (For systems setting struct dirent->d_type, this check is free and it's # done always regardless of this setting) #maildir_stat_dirs = no # When copying a message, do it with hard links whenever possible. This makes # the performance much better, and it's unlikely to have any side effects. #maildir_copy_with_hardlinks = yes # Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only # when its mtime changes unexpectedly or when we can't find the mail otherwise. #maildir_very_dirty_syncs = no # If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for # getting the mail's physical size, except when recalculating Maildir++ quota. # This can be useful in systems where a lot of the Maildir filenames have a # broken size. The performance hit for enabling this is very small. #maildir_broken_filename_sizes = no +# Always move mails from new/ directory to cur/, even when the \Recent flags +# aren't being reset. +#maildir_empty_new = no + ## ## mbox-specific settings ## # Which locking methods to use for locking mbox. There are four available: # dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe # solution. If you want to use /var/mail/ like directory, the users # will need write access to that directory. # dotlock_try: Same as dotlock, but if it fails because of permissions or # because there isn't enough disk space, just skip it. # fcntl : Use this if possible. Works with NFS too if lockd is used. # flock : May not exist in all systems. Doesn't work with NFS. # lockf : May not exist in all systems. Doesn't work with NFS. # # You can use multiple locking methods; if you do the order they're declared # in is important to avoid deadlocks if other MTAs/MUAs are using multiple # locking methods as well. Some operating systems don't allow using some of # them simultaneously. # # The Debian value for mbox_write_locks differs from upstream Dovecot. It is diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf index e77b557..f1c2a16 100644 --- a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf +++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf @@ -22,41 +22,47 @@ pid = /var/run/stunnel4/stunnel4.pid debug = 4 ;output = /var/log/stunnel4/stunnel.log ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/stunnel/mail.pem ;key = /etc/stunnel/mail.pem client = yes socket = a:SO_BINDTODEVICE=lo ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Authentication stuff needs to be configured to prevent MITM attacks verify = 4 -; Disable support for insecure SSLv2 protocol +; Disable support for insecure protocols options = NO_SSLv2 -; Workaround for Eudora bug -;options = DONT_INSERT_EMPTY_FRAGMENTS +options = NO_SSLv3 +options = NO_TLSv1 +options = NO_TLSv1.1 ; These options provide additional security at some performance degradation -;options = SINGLE_ECDH_USE -;options = SINGLE_DH_USE +options = SINGLE_ECDH_USE +options = SINGLE_DH_USE + +ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [imaps] -accept = localhost:993 +accept = localhost:143 connect = imap.fripost.org:993 CAfile = /etc/stunnel/certs/imap.fripost.org.pem -options = NO_SSLv3 -ciphers = ECDH+AES:DH+AES + +[ldaps] +accept = localhost:389 +connect = ldap.fripost.org:636 +CAfile = /etc/stunnel/certs/ldap.fripost.org.pem ; vim:ft=dosini |