3 files changed, 14 insertions, 10 deletions

diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 2085974..feb38ee 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -72,40 +72,42 @@
             mode=0644
   with_items:
     - additional_message_headers
     - managesieve
     - password
 
 - name: Start php5-fpm
   service: name=php5-fpm state=started
 
 - name: Generate a private key and a X.509 certificate for Nginx
   command: genkeypair.sh x509
                          --pubkey=/etc/nginx/ssl/mail.fripost.org.pem
                          --privkey=/etc/nginx/ssl/mail.fripost.org.key
                          --dns=mail.fripost.org
                          -t rsa -b 4096 -h sha512
   register: r1
   changed_when: r1.rc == 0
   failed_when: r1.rc > 1
   notify:
     - Restart Nginx
+  tags:
+    - genkey
 
 - name: Copy /etc/nginx/sites-available/roundcube
   copy: src=etc/nginx/sites-available/roundcube
         dest=/etc/nginx/sites-available/roundcube
         owner=root group=root
         mode=0644
   register: r2
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/roundcube
   file: src=../sites-available/roundcube
         dest=/etc/nginx/sites-enabled/roundcube
         owner=root group=root
         state=link force=yes
   register: r3
   notify:
     - Restart Nginx
 
 - name: Start Nginx
diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2
index b070881..595f618 100644
--- a/roles/webmail/templates/etc/postfix/main.cf.j2
+++ b/roles/webmail/templates/etc/postfix/main.cf.j2
@@ -23,66 +23,68 @@ master_service_disable = !127.0.0.1:2580.inet inet
 queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
 data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
 multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
 multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
 multi_instance_enable = yes
 
 # This server is a nullclient 
 mynetworks_style = host
 inet_interfaces  = loopback-only
 
 # No local delivery
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 alias_database       =
 local_recipient_maps =
 
 message_size_limit  = 67108864
 recipient_delimiter = +
 
-# Forward everything to our internal mailhub
+# Forward everything to our internal outgoing proxy
 {% if 'out' in group_names %}
 relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
 {% else %}
 relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
 {% endif %}
 relay_domains =
 
+
 # Don't rewrite remote headers
 local_header_rewrite_clients     =
 # Avoid splitting the envelope and scanning messages multiple times
 smtp_destination_recipient_limit = 1000
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
 
-# Pass the mail to the antivirus
-#content_filter = amavisfeed:unix:public/amavisfeed-antivirus
-
-# Tunnel everything through IPSec
-smtp_tls_security_level  = none
 {% if 'out' in group_names %}
-smtp_bind_address        = 127.0.0.1
+smtp_tls_security_level         = none
+smtp_bind_address               = 127.0.0.1
 {% else %}
-smtp_bind_address        = 172.16.0.1
+smtp_tls_security_level         = encrypt
+smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
+smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
+smtp_tls_fingerprint_digest     = sha256
 {% endif %}
-smtpd_tls_security_level = none
+smtpd_tls_security_level        = none
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 # UCE control
 unknown_client_reject_code = 554
 
 smtpd_client_restrictions =
     permit_mynetworks
     reject
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     permit_mynetworks
     reject_non_fqdn_helo_hostname
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2
index c716ddc..d88a09a 100644
--- a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2
+++ b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2
@@ -9,41 +9,41 @@ $rcmail_config['managesieve_port'] = 4190;
 // %n - http hostname ($_SERVER['SERVER_NAME'])
 // %d - domain (http hostname without the first part)
 // For example %n = mail.domain.tld, %d = domain.tld
 $rcmail_config['managesieve_host'] = 'imap.fripost.org';
 
 // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
 // or none. Optional, defaults to best method supported by server.
 $rcmail_config['managesieve_auth_type'] = 'PLAIN';
 
 // Optional managesieve authentication identifier to be used as authorization proxy.
 // Authenticate as a different user but act on behalf of the logged in user.
 // Works with PLAIN and DIGEST-MD5 auth.
 $rcmail_config['managesieve_auth_cid'] = null;
 
 // Optional managesieve authentication password to be used for imap_auth_cid
 $rcmail_config['managesieve_auth_pw'] = null;
 
 // use or not TLS for managesieve server connection
 // it's because I've problems with TLS and dovecot's managesieve plugin
 // and it's not needed on localhost
-$rcmail_config['managesieve_usetls'] = FALSE;
+$rcmail_config['managesieve_usetls'] = TRUE;
 
 // default contents of filters script (eg. default spam filter)
 $rcmail_config['managesieve_default'] = '/etc/dovecot/sieve/global';
 
 // The name of the script which will be used when there's no user script
 $rcmail_config['managesieve_script_name'] = 'managesieve';
 
 // Sieve RFC says that we should use UTF-8 endcoding for mailbox names,
 // but some implementations does not covert UTF-8 to modified UTF-7.
 // Defaults to UTF7-IMAP
 $rcmail_config['managesieve_mbox_encoding'] = 'UTF-8';
 
 // I need this because my dovecot (with listescape plugin) uses
 // ':' delimiter, but creates folders with dot delimiter
 $rcmail_config['managesieve_replace_delimiter'] = '';
 
 // disabled sieve extensions (body, copy, date, editheader, encoded-character,
 // envelope, environment, ereject, fileinto, ihave, imap4flags, index,
 // mailbox, mboxmetadata, regex, reject, relational, servermetadata,
 // spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.