diff options
Diffstat (limited to 'roles/webmail/templates/etc')
| l--------- | roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 | 1 | ||||
| -rw-r--r-- | roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 | 100 | ||||
| -rw-r--r-- | roles/webmail/templates/etc/stunnel/ldap.conf.j2 (renamed from roles/webmail/templates/etc/stunnel/postfix.conf.j2) | 38 |
3 files changed, 113 insertions, 26 deletions
diff --git a/roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 b/roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 new file mode 120000 index 0000000..a8ba598 --- /dev/null +++ b/roles/webmail/templates/etc/nginx/snippets/mail.fripost.org.hpkp-hdr.j2 @@ -0,0 +1 @@ +../../../../../../certs/hpkp-hdr.j2
\ No newline at end of file diff --git a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 new file mode 100644 index 0000000..7b424e4 --- /dev/null +++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 @@ -0,0 +1,100 @@ +<?php + +// managesieve server port. When empty the port will be determined automatically +// using getservbyname() function, with 4190 as a fallback. +$config['managesieve_port'] = 4190; + +// managesieve server address, default is localhost. +// Replacement variables supported in host name: +// %h - user's IMAP hostname +// %n - http hostname ($_SERVER['SERVER_NAME']) +// %d - domain (http hostname without the first part) +// For example %n = mail.domain.tld, %d = domain.tld +$config['managesieve_host'] = '{{ imapsvr_addr | ansible.utils.ipaddr }}'; + +// authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL +// or none. Optional, defaults to best method supported by server. +$config['managesieve_auth_type'] = 'PLAIN'; + +// Optional managesieve authentication identifier to be used as authorization proxy. +// Authenticate as a different user but act on behalf of the logged in user. +// Works with PLAIN and DIGEST-MD5 auth. +$config['managesieve_auth_cid'] = null; + +// Optional managesieve authentication password to be used for imap_auth_cid +$config['managesieve_auth_pw'] = null; + +// use or not TLS for managesieve server connection +// Note: tls:// prefix in managesieve_host is also supported +$config['managesieve_usetls'] = false; + +// Connection scket context options +// See http://php.net/manual/en/context.ssl.php +// The example below enables server certificate validation +//$config['managesieve_conn_options'] = array( +// 'ssl' => array( +// 'verify_peer' => true, +// 'verify_depth' => 3, +// 'cafile' => '/etc/openssl/certs/ca.crt', +// ), +// ); +$config['managesieve_conn_options'] = null; + +// default contents of filters script (eg. default spam filter) +$config['managesieve_default'] = '/etc/dovecot/sieve/global'; + +// The name of the script which will be used when there's no user script +$config['managesieve_script_name'] = 'managesieve'; + +// Sieve RFC says that we should use UTF-8 endcoding for mailbox names, +// but some implementations does not covert UTF-8 to modified UTF-7. +// Defaults to UTF7-IMAP +$config['managesieve_mbox_encoding'] = 'UTF-8'; + +// I need this because my dovecot (with listescape plugin) uses +// ':' delimiter, but creates folders with dot delimiter +$config['managesieve_replace_delimiter'] = ''; + +// disabled sieve extensions (body, copy, date, editheader, encoded-character, +// envelope, environment, ereject, fileinto, ihave, imap4flags, index, +// mailbox, mboxmetadata, regex, reject, relational, servermetadata, +// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc. +// Note: not all extensions are implemented +$config['managesieve_disabled_extensions'] = array('reject','ereject'); + +// Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve +$config['managesieve_debug'] = false; + +// Enables features described in http://wiki.kolab.org/KEP:14 +$config['managesieve_kolab_master'] = false; + +// Script name extension used for scripts including. Dovecot uses '.sieve', +// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled. +$config['managesieve_filename_extension'] = '.sieve'; + +// List of reserved script names (without extension). +// Scripts listed here will be not presented to the user. +$config['managesieve_filename_exceptions'] = array(); + +// List of domains limiting destination emails in redirect action +// If not empty, user will need to select domain from a list +$config['managesieve_domains'] = array(); + +// Enables separate management interface for vacation responses (out-of-office) +// 0 - no separate section (default), +// 1 - add Vacation section, +// 2 - add Vacation section, but hide Filters section +$config['managesieve_vacation'] = 0; + +// Default vacation interval (in days). +// Note: If server supports vacation-seconds extension it is possible +// to define interval in seconds here (as a string), e.g. "3600s". +$config['managesieve_vacation_interval'] = 0; + +// Some servers require vacation :addresses to be filled with all +// user addresses (aliases). This option enables automatic filling +// of these on initial vacation form creation. +$config['managesieve_vacation_addresses_init'] = false; + +// Supported methods of notify extension. Default: 'mailto' +$config['managesieve_notify_methods'] = array('mailto'); diff --git a/roles/webmail/templates/etc/stunnel/postfix.conf.j2 b/roles/webmail/templates/etc/stunnel/ldap.conf.j2 index 78922c8..6fce2bc 100644 --- a/roles/webmail/templates/etc/stunnel/postfix.conf.j2 +++ b/roles/webmail/templates/etc/stunnel/ldap.conf.j2 @@ -1,55 +1,41 @@ ; ************************************************************************** ; * Global options * ; ************************************************************************** -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = /var/run/stunnel4/postfix.pid +pid = +foreground = yes ; Only log messages at severity warning (4) and higher debug = 4 ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/postfix/ssl/{{ ansible_fqdn }}.pem -key = /etc/postfix/ssl/{{ ansible_fqdn }}.key client = yes -socket = a:SO_BINDTODEVICE=lo ; Some performance tunings -socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks -verify = 4 +verifyPeer = yes ; Disable support for insecure protocols -options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -; These options provide additional security at some performance degradation -options = SINGLE_ECDH_USE -options = SINGLE_DH_USE +sslVersionMin = TLSv1.2 +options = NO_COMPRESSION ; Select permitted SSL ciphers -ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 +ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** -[smtp] -accept = localhost:2525 -connect = outgoing.fripost.org:{{ postfix_instance.out.port }} -CAfile = /etc/stunnel/certs/postfix.pem -protocol = smtp +[ldaps] +; dummy address (socket-activated) +accept = 127.0.0.1:0 +connect = {{ ipsec[ hostvars[groups.LDAP_provider[0]].inventory_hostname_short ] }}:636 +checkHost = ldap.fripost.org +CAfile = /etc/stunnel/certs/ldap.pem ; vim:ft=dosini |