diff options
Diffstat (limited to 'roles/webmail/files/etc')
10 files changed, 80 insertions, 90 deletions
diff --git a/roles/webmail/files/etc/cron.d/roundcube-core b/roles/webmail/files/etc/cron.d/roundcube-core new file mode 100644 index 0000000..6d9e7af --- /dev/null +++ b/roles/webmail/files/etc/cron.d/roundcube-core @@ -0,0 +1,7 @@ +# +# Roundcube database cleaning: finally removes all records that are +# marked as deleted. +MAILTO=root + +# m h dom mon dow user command +0 5 * * * _roundcube /usr/share/roundcube/bin/cleandb.sh >/dev/null diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index ae73562..46012f8 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -6,10 +6,10 @@ server { server_name mail.fripost.org; server_name webmail.fripost.org; - include snippets/acme-challenge.conf; + include /etc/lacme/nginx.conf; - access_log /var/log/nginx/roundcube.access.log; - error_log /var/log/nginx/roundcube.error.log info; + access_log /var/log/nginx/roundcube.access.log; + error_log /var/log/nginx/roundcube.error.log info; location / { return 301 https://$host$request_uri; @@ -24,22 +24,27 @@ server { server_name mail.fripost.org; server_name webmail.fripost.org; - root /var/lib/roundcube; + root /var/lib/roundcube/public_html; include snippets/headers.conf; add_header Content-Security-Policy - "default-src 'none'; child-src 'self'; frame-src 'self'; connect-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self'; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'self'; form-action 'self'; base-uri mail.fripost.org webmail.fripost.org"; + "default-src 'none'; frame-src 'self'; connect-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri mail.fripost.org webmail.fripost.org"; include snippets/ssl.conf; ssl_certificate ssl/mail.fripost.org.pem; ssl_certificate_key ssl/mail.fripost.org.key; include snippets/mail.fripost.org.hpkp-hdr; + gzip on; + gzip_static on; + gzip_vary on; + gzip_min_length 256; + gzip_types application/font-woff application/font-woff2 application/javascript application/json application/xml image/svg+xml image/x-icon text/css text/plain text/vcard; + location = /favicon.ico { - root /usr/share/roundcube/skins/default/images; + root /usr/share/roundcube/skins/elastic/images; log_not_found off; access_log off; - expires max; } location = /robots.txt { @@ -48,28 +53,24 @@ server { access_log off; } - access_log /var/log/nginx/roundcube.access.log; - error_log /var/log/nginx/roundcube.error.log info; + access_log /var/log/nginx/roundcube.access.log; + error_log /var/log/nginx/roundcube.error.log info; client_max_body_size 64m; location = / { index index.php; } location = /index.php { + # TODO enable gzip for Roundcube >=1.5: it's immune to BREACH attacks once + # $config['session_samesite'] is set to 'Strict', see + # https://github.com/roundcube/roundcubemail/pull/6772 + # https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies + gzip off; include snippets/fastcgi-php-ssl.conf; - - # From /var/lib/roundcube/.htaccess - fastcgi_param PHP_VALUE "upload_max_filesize=25M - post_max_size=30M - memory_limit=64M - session.gc_maxlifetime=21600 - session.gc_divisor=500 - session.gc_probability=1"; - fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/usr/share/roundcube:/etc/roundcube:/var/log/roundcube:/usr/share/php:/usr/share/javascript:/usr/share/tinymce:/usr/share/misc/magic:/dev - upload_tmp_dir=$document_root/temp"; + fastcgi_pass unix:/var/run/php/php7.3-fpm@roundcube.sock; } - location ~ "^/(?:plugins|program/js|program/resources|skins)/.*[^./]\.(?:css|eot|gif|html|ico|jpg|js|pdf|png|svg|tif|ttf|woff)$" { - try_files $uri =404; + location ~ "^/(?:plugins|program/js|program/resources|skins)(?:/[[:alnum:]][[:alnum:]\-\._]*)+\.(?:css|eot|gif|html|ico|jpg|js|pdf|png|svg|tiff?|ttf|webp|woff2?)$" { expires 30d; + try_files $uri =404; } location / { internal; } } diff --git a/roles/webmail/files/etc/php/fpm/pool.d/roundcube.conf b/roles/webmail/files/etc/php/fpm/pool.d/roundcube.conf new file mode 100644 index 0000000..1512d66 --- /dev/null +++ b/roles/webmail/files/etc/php/fpm/pool.d/roundcube.conf @@ -0,0 +1,22 @@ +[roundcube] +user = _roundcube +group = nogroup +listen = /run/php/php7.3-fpm@roundcube.sock +listen.owner = www-data +listen.group = www-data +listen.mode = 0600 +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +php_value[upload_max_filesize] = 25M +php_value[post_max_size] = 30M +php_value[memory_limit] = 64M +php_value[session.gc_maxlifetime] = 21600 +php_value[session.gc_divisor] = 500 +php_value[session.gc_probability] = 1 + +php_admin_value[upload_tmp_dir] = /var/lib/roundcube/temp +php_admin_value[open_basedir] = /var/lib/roundcube:/usr/share/roundcube:/etc/roundcube:/var/log/roundcube:/usr/share/php:/usr/share/javascript:/usr/lib/nodejs:/usr/share/tinymce:/usr/share/misc/magic:/dev diff --git a/roles/webmail/files/etc/roundcube/plugins/authres_status/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/authres_status/config.inc.php new file mode 100644 index 0000000..6d41d4f --- /dev/null +++ b/roles/webmail/files/etc/roundcube/plugins/authres_status/config.inc.php @@ -0,0 +1,6 @@ +<?php + +$config['use_fallback_verifier'] = false; +$config['trusted_mtas'] = array('mx1.fripost.org', 'mx2.fripost.org'); + +?> diff --git a/roles/webmail/files/etc/roundcube/plugins/html5_notifier/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/html5_notifier/config.inc.php new file mode 100644 index 0000000..1ec7922 --- /dev/null +++ b/roles/webmail/files/etc/roundcube/plugins/html5_notifier/config.inc.php @@ -0,0 +1,6 @@ +<?php + +$config['html5_notifier_duration'] = '3'; +$config['html5_notifier_smbox'] = '1'; + +?> diff --git a/roles/webmail/files/etc/roundcube/plugins/jqueryui/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/jqueryui/config.inc.php deleted file mode 100644 index bb9720b..0000000 --- a/roles/webmail/files/etc/roundcube/plugins/jqueryui/config.inc.php +++ /dev/null @@ -1,11 +0,0 @@ -<?php - -// if you want to load localization strings for specific sub-libraries of jquery-ui, configure them here -$config['jquery_ui_i18n'] = array('datepicker'); - -// map Roundcube skins with jquery-ui themes here -$config['jquery_ui_skin_map'] = array( - 'default' => 'smoothness', -); - -?> diff --git a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php index c32f58e..e53b753 100644 --- a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php +++ b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php @@ -122,7 +122,7 @@ $config['password_saslpasswd_args'] = ''; // You can provide one or several hosts in an array in which case the hosts are tried from left to right. // Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com'); // Default: 'localhost' -$config['password_ldap_host'] = 'localhost'; +$config['password_ldap_host'] = '127.0.0.1'; // LDAP server port to connect to // Default: '389' diff --git a/roles/webmail/files/etc/roundcube/plugins/thunderbird_labels/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/thunderbird_labels/config.inc.php new file mode 100644 index 0000000..2abb423 --- /dev/null +++ b/roles/webmail/files/etc/roundcube/plugins/thunderbird_labels/config.inc.php @@ -0,0 +1,5 @@ +<?php + +$rcmail_config['tb_label_enable'] = true; + +?> diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf deleted file mode 100644 index b8c7787..0000000 --- a/roles/webmail/files/etc/stunnel/ldap.conf +++ /dev/null @@ -1,57 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -;cert = /etc/stunnel/mail.pem -;key = /etc/stunnel/mail.pem -client = yes -socket = a:SO_BINDTODEVICE=lo - -; Some performance tunings -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -;options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -;options = SINGLE_ECDH_USE -;options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -[ldaps] -accept = localhost:389 -connect = ldap.fripost.org:636 -CAfile = /etc/stunnel/certs/ldap.pem - -; vim:ft=dosini diff --git a/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket new file mode 100644 index 0000000..72aa82c --- /dev/null +++ b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket @@ -0,0 +1,11 @@ +[Unit] +Description=SSL tunnel for network daemons (instance %i) +Documentation=man:stunnel4(8) + +[Socket] +BindToDevice=lo +ListenStream=127.0.0.1:389 +NoDelay=yes + +[Install] +WantedBy=sockets.target |