diff options
Diffstat (limited to 'roles/IMAP')
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 4 | ||||
| -rw-r--r-- | roles/IMAP/tasks/imap.yml | 16 |
2 files changed, 16 insertions, 4 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index c727f4b..c5e61d7 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -4,42 +4,42 @@ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = required # No need for SSL if the packets are protected by IPSec. local 172.16.0.1 { protocol imap { disable_plaintext_auth = no ssl = no } protocol sieve { disable_plaintext_auth = no ssl = no } } # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/dovecot/dovecot.pem -ssl_key = </etc/dovecot/private/dovecot.pem +ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem +ssl_key = </etc/dovecot/ssl/imap.fripost.org.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) #ssl_ca = # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index 6191a50..c9471f3 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -45,48 +45,60 @@ - name: Create virtual mailboxes copy: src=etc/dovecot/virtual/{{ item }}/dovecot-virtual dest=/etc/dovecot/virtual/{{ item }}/dovecot-virtual owner=root group=root mode=0644 with_items: - all - flagged - recent - unseen - name: Create directory /home/mail/spamspool # There is no possibility for a name clash, since 'spamspool' isn't a # valid domain file: path=/home/mail/spamspool state=directory owner=vmail group=vmail mode=0700 +- name: Generate a private key and a X.509 certificate for Dovecot + command: genkeypair.sh x509 + --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem + --privkey=/etc/dovecot/ssl/imap.fripost.org.key + --dns imap.fripost.org + -t rsa -b 4096 -h sha512 + register: r1 + changed_when: r1.rc == 0 + failed_when: r1.rc > 1 + notify: + - Restart Dovecot + - name: Configure Dovecot copy: src=etc/dovecot/{{ item }} dest=/etc/dovecot/{{ item }} owner=root group=root mode=0644 - register: r + register: r2 with_items: - conf.d/10-auth.conf - conf.d/10-logging.conf - conf.d/10-mail.conf - conf.d/10-master.conf - conf.d/10-ssl.conf - conf.d/15-mailboxes.conf - conf.d/20-imap.conf - conf.d/20-lmtp.conf - conf.d/90-plugin.conf - conf.d/90-sieve.conf - conf.d/auth-ldap.conf.ext - dovecot-ldap.conf.ext - dovecot-ldap-userdb.conf.ext notify: - Restart Dovecot - name: Start Dovecot service: name=dovecot state=started - when: not r.changed + when: not (r1.changed or r2.changed) - meta: flush_handlers |