diff options
Diffstat (limited to 'roles/webmail/templates/etc')
-rw-r--r-- | roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 | 4 | ||||
-rw-r--r-- | roles/webmail/templates/etc/stunnel/ldap.conf.j2 | 41 |
2 files changed, 43 insertions, 2 deletions
diff --git a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 index 66af466..7b424e4 100644 --- a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 +++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 @@ -10,7 +10,7 @@ $config['managesieve_port'] = 4190; // %n - http hostname ($_SERVER['SERVER_NAME']) // %d - domain (http hostname without the first part) // For example %n = mail.domain.tld, %d = domain.tld -$config['managesieve_host'] = '{{ imapsvr_addr | ipaddr }}'; +$config['managesieve_host'] = '{{ imapsvr_addr | ansible.utils.ipaddr }}'; // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL // or none. Optional, defaults to best method supported by server. @@ -60,7 +60,7 @@ $config['managesieve_replace_delimiter'] = ''; // mailbox, mboxmetadata, regex, reject, relational, servermetadata, // spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc. // Note: not all extensions are implemented -$config['managesieve_disabled_extensions'] = array(); +$config['managesieve_disabled_extensions'] = array('reject','ereject'); // Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve $config['managesieve_debug'] = false; diff --git a/roles/webmail/templates/etc/stunnel/ldap.conf.j2 b/roles/webmail/templates/etc/stunnel/ldap.conf.j2 new file mode 100644 index 0000000..6fce2bc --- /dev/null +++ b/roles/webmail/templates/etc/stunnel/ldap.conf.j2 @@ -0,0 +1,41 @@ +; ************************************************************************** +; * Global options * +; ************************************************************************** + +pid = +foreground = yes + +; Only log messages at severity warning (4) and higher +debug = 4 + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +client = yes + +; Some performance tunings +socket = r:TCP_NODELAY=1 + +; Prevent MITM attacks +verifyPeer = yes + +; Disable support for insecure protocols +sslVersionMin = TLSv1.2 +options = NO_COMPRESSION + +; Select permitted SSL ciphers +ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[ldaps] +; dummy address (socket-activated) +accept = 127.0.0.1:0 +connect = {{ ipsec[ hostvars[groups.LDAP_provider[0]].inventory_hostname_short ] }}:636 +checkHost = ldap.fripost.org +CAfile = /etc/stunnel/certs/ldap.pem + +; vim:ft=dosini |