diff options
Diffstat (limited to 'roles/webmail')
17 files changed, 220 insertions, 118 deletions
diff --git a/roles/webmail/files/etc/cron.d/roundcube-core b/roles/webmail/files/etc/cron.d/roundcube-core new file mode 100644 index 0000000..6d9e7af --- /dev/null +++ b/roles/webmail/files/etc/cron.d/roundcube-core @@ -0,0 +1,7 @@ +# +# Roundcube database cleaning: finally removes all records that are +# marked as deleted. +MAILTO=root + +# m h dom mon dow user command +0 5 * * * _roundcube /usr/share/roundcube/bin/cleandb.sh >/dev/null diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index ae73562..46012f8 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -6,10 +6,10 @@ server { server_name mail.fripost.org; server_name webmail.fripost.org; - include snippets/acme-challenge.conf; + include /etc/lacme/nginx.conf; - access_log /var/log/nginx/roundcube.access.log; - error_log /var/log/nginx/roundcube.error.log info; + access_log /var/log/nginx/roundcube.access.log; + error_log /var/log/nginx/roundcube.error.log info; location / { return 301 https://$host$request_uri; @@ -24,22 +24,27 @@ server { server_name mail.fripost.org; server_name webmail.fripost.org; - root /var/lib/roundcube; + root /var/lib/roundcube/public_html; include snippets/headers.conf; add_header Content-Security-Policy - "default-src 'none'; child-src 'self'; frame-src 'self'; connect-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self'; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'self'; form-action 'self'; base-uri mail.fripost.org webmail.fripost.org"; + "default-src 'none'; frame-src 'self'; connect-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri mail.fripost.org webmail.fripost.org"; include snippets/ssl.conf; ssl_certificate ssl/mail.fripost.org.pem; ssl_certificate_key ssl/mail.fripost.org.key; include snippets/mail.fripost.org.hpkp-hdr; + gzip on; + gzip_static on; + gzip_vary on; + gzip_min_length 256; + gzip_types application/font-woff application/font-woff2 application/javascript application/json application/xml image/svg+xml image/x-icon text/css text/plain text/vcard; + location = /favicon.ico { - root /usr/share/roundcube/skins/default/images; + root /usr/share/roundcube/skins/elastic/images; log_not_found off; access_log off; - expires max; } location = /robots.txt { @@ -48,28 +53,24 @@ server { access_log off; } - access_log /var/log/nginx/roundcube.access.log; - error_log /var/log/nginx/roundcube.error.log info; + access_log /var/log/nginx/roundcube.access.log; + error_log /var/log/nginx/roundcube.error.log info; client_max_body_size 64m; location = / { index index.php; } location = /index.php { + # TODO enable gzip for Roundcube >=1.5: it's immune to BREACH attacks once + # $config['session_samesite'] is set to 'Strict', see + # https://github.com/roundcube/roundcubemail/pull/6772 + # https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies + gzip off; include snippets/fastcgi-php-ssl.conf; - - # From /var/lib/roundcube/.htaccess - fastcgi_param PHP_VALUE "upload_max_filesize=25M - post_max_size=30M - memory_limit=64M - session.gc_maxlifetime=21600 - session.gc_divisor=500 - session.gc_probability=1"; - fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/usr/share/roundcube:/etc/roundcube:/var/log/roundcube:/usr/share/php:/usr/share/javascript:/usr/share/tinymce:/usr/share/misc/magic:/dev - upload_tmp_dir=$document_root/temp"; + fastcgi_pass unix:/var/run/php/php7.3-fpm@roundcube.sock; } - location ~ "^/(?:plugins|program/js|program/resources|skins)/.*[^./]\.(?:css|eot|gif|html|ico|jpg|js|pdf|png|svg|tif|ttf|woff)$" { - try_files $uri =404; + location ~ "^/(?:plugins|program/js|program/resources|skins)(?:/[[:alnum:]][[:alnum:]\-\._]*)+\.(?:css|eot|gif|html|ico|jpg|js|pdf|png|svg|tiff?|ttf|webp|woff2?)$" { expires 30d; + try_files $uri =404; } location / { internal; } } diff --git a/roles/webmail/files/etc/php/fpm/pool.d/roundcube.conf b/roles/webmail/files/etc/php/fpm/pool.d/roundcube.conf new file mode 100644 index 0000000..1512d66 --- /dev/null +++ b/roles/webmail/files/etc/php/fpm/pool.d/roundcube.conf @@ -0,0 +1,22 @@ +[roundcube] +user = _roundcube +group = nogroup +listen = /run/php/php7.3-fpm@roundcube.sock +listen.owner = www-data +listen.group = www-data +listen.mode = 0600 +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +php_value[upload_max_filesize] = 25M +php_value[post_max_size] = 30M +php_value[memory_limit] = 64M +php_value[session.gc_maxlifetime] = 21600 +php_value[session.gc_divisor] = 500 +php_value[session.gc_probability] = 1 + +php_admin_value[upload_tmp_dir] = /var/lib/roundcube/temp +php_admin_value[open_basedir] = /var/lib/roundcube:/usr/share/roundcube:/etc/roundcube:/var/log/roundcube:/usr/share/php:/usr/share/javascript:/usr/lib/nodejs:/usr/share/tinymce:/usr/share/misc/magic:/dev diff --git a/roles/webmail/files/etc/roundcube/plugins/authres_status/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/authres_status/config.inc.php new file mode 100644 index 0000000..6d41d4f --- /dev/null +++ b/roles/webmail/files/etc/roundcube/plugins/authres_status/config.inc.php @@ -0,0 +1,6 @@ +<?php + +$config['use_fallback_verifier'] = false; +$config['trusted_mtas'] = array('mx1.fripost.org', 'mx2.fripost.org'); + +?> diff --git a/roles/webmail/files/etc/roundcube/plugins/html5_notifier/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/html5_notifier/config.inc.php new file mode 100644 index 0000000..1ec7922 --- /dev/null +++ b/roles/webmail/files/etc/roundcube/plugins/html5_notifier/config.inc.php @@ -0,0 +1,6 @@ +<?php + +$config['html5_notifier_duration'] = '3'; +$config['html5_notifier_smbox'] = '1'; + +?> diff --git a/roles/webmail/files/etc/roundcube/plugins/jqueryui/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/jqueryui/config.inc.php deleted file mode 100644 index bb9720b..0000000 --- a/roles/webmail/files/etc/roundcube/plugins/jqueryui/config.inc.php +++ /dev/null @@ -1,11 +0,0 @@ -<?php - -// if you want to load localization strings for specific sub-libraries of jquery-ui, configure them here -$config['jquery_ui_i18n'] = array('datepicker'); - -// map Roundcube skins with jquery-ui themes here -$config['jquery_ui_skin_map'] = array( - 'default' => 'smoothness', -); - -?> diff --git a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php index c32f58e..e53b753 100644 --- a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php +++ b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php @@ -122,7 +122,7 @@ $config['password_saslpasswd_args'] = ''; // You can provide one or several hosts in an array in which case the hosts are tried from left to right. // Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com'); // Default: 'localhost' -$config['password_ldap_host'] = 'localhost'; +$config['password_ldap_host'] = '127.0.0.1'; // LDAP server port to connect to // Default: '389' diff --git a/roles/webmail/files/etc/roundcube/plugins/thunderbird_labels/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/thunderbird_labels/config.inc.php new file mode 100644 index 0000000..2abb423 --- /dev/null +++ b/roles/webmail/files/etc/roundcube/plugins/thunderbird_labels/config.inc.php @@ -0,0 +1,5 @@ +<?php + +$rcmail_config['tb_label_enable'] = true; + +?> diff --git a/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket new file mode 100644 index 0000000..72aa82c --- /dev/null +++ b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket @@ -0,0 +1,11 @@ +[Unit] +Description=SSL tunnel for network daemons (instance %i) +Documentation=man:stunnel4(8) + +[Socket] +BindToDevice=lo +ListenStream=127.0.0.1:389 +NoDelay=yes + +[Install] +WantedBy=sockets.target diff --git a/roles/webmail/files/usr/share/roundcube/skins/classic/images/fripost_logo.png b/roles/webmail/files/usr/share/roundcube/program/resources/fripost_logo_black.png Binary files differindex 7af586a..7af586a 100644 --- a/roles/webmail/files/usr/share/roundcube/skins/classic/images/fripost_logo.png +++ b/roles/webmail/files/usr/share/roundcube/program/resources/fripost_logo_black.png diff --git a/roles/webmail/files/usr/share/roundcube/skins/larry/images/fripost_logo.png b/roles/webmail/files/usr/share/roundcube/program/resources/fripost_logo_white.png Binary files differindex c581a30..c581a30 100644 --- a/roles/webmail/files/usr/share/roundcube/skins/larry/images/fripost_logo.png +++ b/roles/webmail/files/usr/share/roundcube/program/resources/fripost_logo_white.png diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml index 446c771..5b730d7 100644 --- a/roles/webmail/handlers/main.yml +++ b/roles/webmail/handlers/main.yml @@ -2,8 +2,14 @@ - name: Restart stunnel@ldap service: name=stunnel4@ldap state=restarted -- name: Restart php7.0-fpm - service: name=php7.0-fpm state=restarted +- name: Restart php7.3-fpm + service: name=php7.3-fpm state=restarted - name: Restart Nginx service: name=nginx state=restarted + +- name: Stop stunnel4@ldap.service + service: name=stunnel4@ldap.service state=stopped + +- name: Restart stunnel4@ldap.socket + service: name=stunnel4@ldap.socket state=restarted diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml index b24860c..f0b461c 100644 --- a/roles/webmail/tasks/ldap.yml +++ b/roles/webmail/tasks/ldap.yml @@ -1,3 +1,12 @@ +- name: Copy stunnel4@ldap.socket + copy: src=etc/systemd/system/stunnel4@ldap.socket + dest=/etc/systemd/system/stunnel4@ldap.socket + owner=root group=root + mode=0644 + notify: + - systemctl daemon-reload + - Restart stunnel4@ldap.socket + - name: Create /etc/stunnel/certs file: path=/etc/stunnel/certs state=directory @@ -9,24 +18,19 @@ dest=/etc/stunnel/certs/ldap.pem owner=root group=root mode=0644 - register: r1 notify: - - Restart stunnel@ldap + - Stop stunnel4@ldap.service - name: Configure stunnel - copy: src=etc/stunnel/ldap.conf - dest=/etc/stunnel/ldap.conf - owner=root group=root - mode=0644 - register: r2 + template: src=etc/stunnel/ldap.conf.j2 + dest=/etc/stunnel/ldap.conf + owner=root group=root + mode=0644 notify: - - Restart stunnel@ldap - -- name: Enable stunnel@ldap - service: name=stunnel4@ldap enabled=yes + - Stop stunnel4@ldap.service -- name: Start stunnel@ldap - service: name=stunnel4@ldap state=started - when: not (r1.changed or r2.changed) +- name: Disable stunnel4@ldap.service + service: name=stunnel4@ldap.service enabled=false -- meta: flush_handlers +- name: Start stunnel4@ldap.socket socket + service: name=stunnel4@ldap.socket state=started enabled=true diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml index 210d277..146c36f 100644 --- a/roles/webmail/tasks/main.yml +++ b/roles/webmail/tasks/main.yml @@ -1,5 +1,5 @@ - import_tasks: ldap.yml - when: "'LDAP-provider' not in group_names" + when: "'LDAP_provider' not in group_names" tags: - ldap - stunnel diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index b7678a3..dc73358 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -9,22 +9,57 @@ # spell-checking - php-enchant -- name: Configure PHP 7.0 Zend opcache - lineinfile: dest=/etc/php/7.0/fpm/php.ini +## TODO: run php as a dedicated system user +- name: Configure PHP 7.3 Zend opcache + lineinfile: dest=/etc/php/7.3/fpm/php.ini regexp='^;?{{ item.var }}\\s*=' line="{{ item.var }} = {{ item.value }}" owner=root group=root mode=0644 with_items: - - { var: opcache.enable, value: 1 } - - { var: opcache.enable_cli, value: 1 } - { var: opcache.memory_consumption, value: 128 } - - { var: opcache.interned_strings_buffer, value: 8 } - - { var: opcache.max_accelerated_files, value: 2048 } - { var: opcache.revalidate_freq, value: 60 } - - { var: opcache.fast_shutdown, value: 1 } notify: - - Restart php7.0-fpm + - Restart php7.3-fpm + +- name: Create '_roundcube' user + user: name=_roundcube system=yes + group=nogroup + createhome=no + home=/nonexistent + shell=/usr/sbin/nologin + password=! + state=present + +- name: Delete PHP 7.3 FPM's www pool + file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent + notify: + - Restart php7.3-fpm + +- name: Configure PHP 7.3 FPM's roundcube pool + copy: src=etc/php/fpm/pool.d/roundcube.conf + dest=/etc/php/7.3/fpm/pool.d/roundcube.conf + owner=root group=root + mode=0644 + notify: + - Restart php7.3-fpm + +- name: Start php7.3-fpm + service: name=php7.3-fpm state=started + +# Make it sticky: `dpkg-statoverride --add _roundcube nogroup 0700 /var/lib/roundcube/temp` +- name: Create cache directory /var/lib/roundcube/temp + file: path=/var/lib/roundcube/temp + state=directory + owner=_roundcube group=nogroup + mode=0700 + +# Make it sticky: `dpkg-statoverride --add _roundcube adm 0750 /var/log/roundcube` +- name: Create cache directory /var/log/roundcube + file: path=/var/log/roundcube + state=directory + owner=_roundcube group=adm + mode=0750 - name: Install GNU Aspell and some dictionaries apt: pkg={{ packages }} @@ -40,64 +75,69 @@ - aspell-sv - name: Install Roundcube - apt: pkg={{ packages }} + apt: pkg={{ packages }} default_release={{ ansible_lsb.codename }}-backports vars: packages: - roundcube-core - roundcube-mysql - roundcube-plugins + - roundcube-plugins-extra + +- name: Install plugin dependencies + apt: pkg={{ packages }} + vars: + packages: - php-net-sieve - - php-net-ldap3 - name: Copy fripost's logo - copy: src=usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png - dest=/usr/share/roundcube/skins/{{ item }}/images/fripost_logo.png + copy: src=usr/share/roundcube/program/resources/{{ item }} + dest=/usr/share/roundcube/program/resources/{{ item }} owner=root group=root mode=0644 with_items: - - classic - - larry + - fripost_logo_black.png + - fripost_logo_white.png - name: Configure Roundcube lineinfile: dest=/etc/roundcube/config.inc.php regexp='^\\s*\\$config\\[\'{{ item.var }}\'\\]\\s*=' line='$config[\'{{ item.var }}\'] = {{ item.value }};' - owner=root group=www-data - mode=0640 + owner=_roundcube group=nogroup + mode=0600 with_items: # Logging/Debugging - { var: smtp_log, value: "false" } # IMAP # WARNING: After hostname change update of mail_host column in users # table is required to match old user data records with the new host. - - { var: default_host, value: "'{{ imapsvr_addr | ipaddr }}'" } - - { var: default_port, value: "143" } - - { var: imap_auth_type, value: "'PLAIN'" } - - { var: imap_cache, value: "null" } - - { var: imap_timeout, value: "180" } - - { var: imap_force_ns, value: "true" } - - { var: messages_cache, value: "false" } + - { var: default_host, value: "'{{ imapsvr_addr | ansible.utils.ipaddr }}'" } + - { var: default_port, value: "143" } + - { var: imap_auth_type, value: "'PLAIN'" } + - { var: imap_cache, value: "null" } + - { var: imap_timeout, value: "180" } + - { var: imap_force_ns, value: "true" } + - { var: messages_cache, value: "false" } # SMTP - - { var: smtp_server, value: "'{{ postfix_instance.MSA.addr | ipaddr }}'" } - - { var: smtp_port, value: "{{ postfix_instance.MSA.port }}" } - - { var: smtp_auth_type, value: "'PLAIN'" } - - { var: smtp_user, value: "'%u'" } - - { var: smtp_pass, value: "'%p'" } + - { var: smtp_server, value: "'{{ postfix_instance.MSA.addr | ansible.utils.ipaddr }}'" } + - { var: smtp_port, value: "{{ postfix_instance.MSA.port }}" } + - { var: smtp_auth_type, value: "'PLAIN'" } + - { var: smtp_user, value: "'%u'" } + - { var: smtp_pass, value: "'%p'" } # System - - { var: force_https, value: "true" } - - { var: login_autocomplete, value: "2" } - - { var: skin_logo, value: "'/images/fripost_logo.png'" } - - { var: username_domain, value: "'fripost.org'" } - - { var: product_name, value: "'Fripost Webmail'" } - - { var: password_charset, value: "'UTF-8'" } + - { var: force_https, value: "true" } + - { var: login_autocomplete, value: "2" } + - { var: username_domain, value: "'fripost.org'" } + - { var: product_name, value: "'Fripost Webmail'" } + - { var: password_charset, value: "'UTF-8'" } + - { var: skin_logo, value: 'array("classic:*" => "program/resources/fripost_logo_black.png", "larry:*" => "program/resources/fripost_logo_white.png", "elastic:login[favicon]" => "", "elastic:login" => "program/resources/fripost_logo_black.png")' } # Plugins - - { var: plugins, value: "array('archive','additional_message_headers','managesieve','password')" } + - { var: plugins, value: "array('archive','additional_message_headers','attachment_reminder','authres_status','emoticons','hide_blockquote','html5_notifier','managesieve','password','thunderbird_labels','vcard_attachments')" } # Spell Checking - { var: enable_spellcheck, value: "'true'" } - { var: spellcheck_engine, value: "'enchant'" } - { var: spellcheck_languages, value: "array('da','de','en','es','fr','no','sv')" } # User Interface - - { var: skin, value: "'larry'" } + - { var: skin, value: "'elastic'" } - { var: language, value: "'sv_SE'" } - { var: create_default_folders, value: "true" } - { var: support_url, value: "'https://fripost.org/kontakt/'" } @@ -105,17 +145,22 @@ - { var: htmleditor, value: "3" } - { var: skip_deleted, value: "true" } - { var: check_all_folders, value: "false" } + - { var: hide_blockquote_limit, value: "8" } + - { var: attachment_reminder, value: "true" } + # Don't allow overriding these settings + - { var: dont_override, value: "array('use_fallback_verifier', 'trusted_mtas')" } - name: Make the logo a hyperlink to the website lineinfile: dest=/usr/share/roundcube/skins/{{ item }}/templates/login.html - regexp='^(<roundcube:object name="logo" src="/images/roundcube_logo.png"[^>]* />)$' - line='<a href="https://fripost.org">\1</a>' + regexp='^(\s*)(<roundcube:object name="logo" src="[^"]*"[^>]* />)' + line='\1<a href="https://fripost.org">\2</a>' backrefs=yes owner=root group=root mode=0644 with_items: - classic - larry + - elastic - name: Configure Roundcube plugins copy: src=etc/roundcube/plugins/{{ item }}/config.inc.php @@ -124,8 +169,10 @@ mode=0644 with_items: - additional_message_headers - - jqueryui + - authres_status - password + - html5_notifier + - thunderbird_labels - name: Configure Roundcube plugins (2) template: src=etc/roundcube/plugins/{{ item }}/config.inc.php.j2 @@ -135,8 +182,22 @@ with_items: - managesieve -- name: Start php7.0-fpm - service: name=php7.0-fpm state=started +- name: Start php7.3-fpm + service: name=php7.3-fpm state=started + +- name: Copy /etc/cron.d/roundcube-core + copy: src=etc/cron.d/roundcube-core + dest=/etc/cron.d/roundcube-core + owner=root group=root + mode=0644 + +- name: Tweak /etc/logrotate.d/roundcube-core + lineinfile: dest=/etc/logrotate.d/roundcube-core + regexp='^(\s*)create\s+[0-9]+\s+\S+\s+adm$' + backrefs=yes + line='\1create 0640 _roundcube adm' + owner=root group=root + mode=0644 - name: Copy /etc/nginx/sites-available/roundcube copy: src=etc/nginx/sites-available/roundcube diff --git a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 index 66af466..7b424e4 100644 --- a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 +++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 @@ -10,7 +10,7 @@ $config['managesieve_port'] = 4190; // %n - http hostname ($_SERVER['SERVER_NAME']) // %d - domain (http hostname without the first part) // For example %n = mail.domain.tld, %d = domain.tld -$config['managesieve_host'] = '{{ imapsvr_addr | ipaddr }}'; +$config['managesieve_host'] = '{{ imapsvr_addr | ansible.utils.ipaddr }}'; // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL // or none. Optional, defaults to best method supported by server. @@ -60,7 +60,7 @@ $config['managesieve_replace_delimiter'] = ''; // mailbox, mboxmetadata, regex, reject, relational, servermetadata, // spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc. // Note: not all extensions are implemented -$config['managesieve_disabled_extensions'] = array(); +$config['managesieve_disabled_extensions'] = array('reject','ereject'); // Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve $config['managesieve_debug'] = false; diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/templates/etc/stunnel/ldap.conf.j2 index b8c7787..6fce2bc 100644 --- a/roles/webmail/files/etc/stunnel/ldap.conf +++ b/roles/webmail/templates/etc/stunnel/ldap.conf.j2 @@ -2,11 +2,6 @@ ; * Global options * ; ************************************************************************** -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail pid = foreground = yes @@ -17,41 +12,30 @@ debug = 4 ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** -; Certificate/key is needed in server mode and optional in client mode -;cert = /etc/stunnel/mail.pem -;key = /etc/stunnel/mail.pem client = yes -socket = a:SO_BINDTODEVICE=lo ; Some performance tunings -socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks -verify = 4 +verifyPeer = yes ; Disable support for insecure protocols -;options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - +sslVersionMin = TLSv1.2 options = NO_COMPRESSION -; These options provide additional security at some performance degradation -;options = SINGLE_ECDH_USE -;options = SINGLE_DH_USE - ; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL +ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [ldaps] -accept = localhost:389 -connect = ldap.fripost.org:636 -CAfile = /etc/stunnel/certs/ldap.pem +; dummy address (socket-activated) +accept = 127.0.0.1:0 +connect = {{ ipsec[ hostvars[groups.LDAP_provider[0]].inventory_hostname_short ] }}:636 +checkHost = ldap.fripost.org +CAfile = /etc/stunnel/certs/ldap.pem ; vim:ft=dosini |
