diff options
Diffstat (limited to 'roles/IMAP-proxy')
| -rw-r--r-- | roles/IMAP-proxy/files/etc/stunnel/imap.conf (renamed from roles/IMAP-proxy/files/etc/stunnel/stunnel.conf) | 19 | ||||
| -rw-r--r-- | roles/IMAP-proxy/tasks/main.yml | 4 |
2 files changed, 7 insertions, 16 deletions
diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/imap.conf index f1c2a16..af29023 100644 --- a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf +++ b/roles/IMAP-proxy/files/etc/stunnel/imap.conf @@ -1,68 +1,59 @@ -; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012 -; Some options used here may be inadequate for your particular configuration -; This sample file does *not* represent stunnel.conf defaults -; Please consult the manual for detailed description of available options - ; ************************************************************************** ; * Global options * ; ************************************************************************** -; A copy of some devices and system files is needed within the chroot jail -; Chroot conflicts with configuration file reload and many other features -; Remember also to update the logrotate configuration. -;chroot = /var/lib/stunnel4/ -; Chroot jail can be escaped if setuid option is not used +; setuid()/setgid() to the specified user/group in daemon mode setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail -pid = /var/run/stunnel4/stunnel4.pid +pid = /var/run/stunnel4/imap.pid -; Debugging stuff (may useful for troubleshooting) +; Only log messages at severity warning (4) and higher debug = 4 -;output = /var/log/stunnel4/stunnel.log ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/stunnel/mail.pem ;key = /etc/stunnel/mail.pem client = yes socket = a:SO_BINDTODEVICE=lo ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 -; Authentication stuff needs to be configured to prevent MITM attacks +; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE +; Select permitted SSL ciphers ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [imaps] accept = localhost:143 connect = imap.fripost.org:993 CAfile = /etc/stunnel/certs/imap.fripost.org.pem [ldaps] accept = localhost:389 connect = ldap.fripost.org:636 CAfile = /etc/stunnel/certs/ldap.fripost.org.pem ; vim:ft=dosini diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml index 7773cb3..a75a612 100644 --- a/roles/IMAP-proxy/tasks/main.yml +++ b/roles/IMAP-proxy/tasks/main.yml @@ -66,33 +66,33 @@ # https://www.stunnel.org/pipermail/stunnel-users/2013-July/004249.html assemble: src=certs/dovecot remote_src=no dest=/etc/stunnel/certs/imap.fripost.org.pem owner=root group=root mode=0644 register: r1 notify: - Restart stunnel - name: Copy slapd's X.509 certificate copy: src=certs/ldap/ldap.fripost.org.pem dest=/etc/stunnel/certs/ldap.fripost.org.pem owner=root group=root mode=0644 register: r2 notify: - Restart stunnel - name: Configure stunnel - copy: src=etc/stunnel/stunnel.conf - dest=/etc/stunnel/stunnel.conf + copy: src=etc/stunnel/imap.conf + dest=/etc/stunnel/imap.conf owner=root group=root mode=0644 register: r3 notify: - Restart stunnel - name: Start stunnel service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers |