6 files changed, 92 insertions, 119 deletions
diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml
index 76084e4..f7e403e 100644
--- a/roles/webmail/handlers/main.yml
+++ b/roles/webmail/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
-- name: Reload Postfix
-  service: name=postfix state=reloaded
+- name: Restart stunnel
+  service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted
 
 - name: Restart Nginx
   service: name=nginx state=restarted
diff --git a/roles/webmail/tasks/mail.yml b/roles/webmail/tasks/mail.yml
index e2dea38..7603a56 100644
--- a/roles/webmail/tasks/mail.yml
+++ b/roles/webmail/tasks/mail.yml
@@ -1,15 +1,39 @@
-- name: Install Postfix
-  apt: pkg=postfix
+- name: Install stunnel
+  apt: pkg=stunnel4
 
-- name: Configure Postfix
-  template: src=etc/postfix/main.cf.j2
-            dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
+- name: Auto-enable stunnel
+  lineinfile: dest=/etc/default/stunnel4
+              regexp='^(\s*#)?\s*ENABLED='
+              line='ENABLED=1'
+              owner=root group=root
+              mode=0644
+
+- name: Create /etc/stunnel/certs
+  file: path=/etc/stunnel/certs
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy the SMTP outgoing proxy's X.509 certificate
+  assemble: src=certs/postfix regexp="{{ groups.out | difference([inventory_hostname]) | join('|') }}\.pem$" remote_src=no
+            dest=/etc/stunnel/certs/postfix.pem
             owner=root group=root
             mode=0644
+  register: r1
   notify:
-    - Reload Postfix
+    - Restart stunnel
 
-- meta: flush_handlers
+- name: Configure stunnel
+  template: src=etc/stunnel/postfix.conf.j2
+            dest=/etc/stunnel/postfix.conf
+            owner=root group=root
+            mode=0644
+  register: r2
+  notify:
+    - Restart stunnel
 
-- name: Start Postfix
-  service: name=postfix state=started
+- name: Start stunnel
+  service: name=stunnel4 pattern=/usr/bin/stunnel4 state=started
+  when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers
diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml
index a6eeee2..030a547 100644
--- a/roles/webmail/tasks/main.yml
+++ b/roles/webmail/tasks/main.yml
@@ -1,2 +1,3 @@
 - include: mail.yml      tags=postfix,mail
+  when: "'out' not in group_names"
 - include: roundcube.yml tags=roundcube,webmail
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index ebe93c8..5392242 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -36,7 +36,7 @@
     - { var: messages_cache,         value: "null"        }
     # SMTP
     - { var: smtp_server,            value: "'localhost'" }
-    - { var: smtp_port,              value: "2580"        }
+    - { var: smtp_port,              value: "2525"        }
     # System
     - { var: force_https,            value: "TRUE"                     }
     - { var: login_autocomplete,     value: "2"                        }
diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2
deleted file mode 100644
index f4079d6..0000000
--- a/roles/webmail/templates/etc/postfix/main.cf.j2
+++ /dev/null
@@ -1,107 +0,0 @@
-########################################################################
-# Webmail configuration
-#
-# {{ ansible_managed }}
-# Do NOT edit this file directly!
-
-smtpd_banner     = $myhostname ESMTP $mail_name (Debian/GNU)
-biff             = no
-readme_directory = no
-mail_owner       = postfix
-
-delay_warning_time     = 4h
-maximal_queue_lifetime = 5d
-
-myorigin            = /etc/mailname
-myhostname          = webmail{{ webmailno | default('') }}.$mydomain
-mydomain            = fripost.org
-append_dot_mydomain = no
-
-# Turn off all TCP/IP listener ports except that necessary for the webmail.
-master_service_disable = !127.0.0.1:2580.inet inet
-
-queue_directory       = /var/spool/postfix-{{ postfix_instance[inst].name }}
-data_directory        = /var/lib/postfix-{{ postfix_instance[inst].name }}
-multi_instance_group  = {{ postfix_instance[inst].group | default('') }}
-multi_instance_name   = postfix-{{ postfix_instance[inst].name }}
-multi_instance_enable = yes
-
-# This server is a nullclient 
-mynetworks_style = host
-inet_interfaces  = loopback-only
-
-# No local delivery
-mydestination        =
-local_transport      = error:5.1.1 Mailbox unavailable
-alias_maps           =
-alias_database       =
-local_recipient_maps =
-
-message_size_limit  = 67108864
-recipient_delimiter = +
-
-# Forward everything to our internal outgoing proxy
-{% if 'out' in group_names %}
-relayhost     = [127.0.0.1]:{{ postfix_instance.out.port }}
-{% else %}
-relayhost     = [outgoing.fripost.org]:{{ postfix_instance.out.port }}
-{% endif %}
-relay_domains =
-
-
-# Don't rewrite remote headers
-local_header_rewrite_clients     =
-# Avoid splitting the envelope and scanning messages multiple times
-smtp_destination_recipient_limit = 1000
-# Tolerate occasional high latency
-smtp_data_done_timeout           = 1200s
-
-{% if 'out' in group_names %}
-smtp_tls_security_level         = none
-smtp_bind_address               = 127.0.0.1
-{% else %}
-smtp_tls_security_level         = encrypt
-smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
-smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
-smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
-smtp_tls_fingerprint_digest     = sha256
-{% endif %}
-smtpd_tls_security_level        = none
-
-
-strict_rfc821_envelopes = yes
-smtpd_delay_reject      = yes
-disable_vrfy_command    = yes
-
-# UCE control
-unknown_client_reject_code       = 554
-unverified_recipient_reject_code = 550
-
-smtpd_client_restrictions =
-    permit_mynetworks
-    reject
-
-smtpd_helo_required     = yes
-smtpd_helo_restrictions =
-    permit_mynetworks
-    reject_non_fqdn_helo_hostname
-    reject_invalid_helo_hostname
-
-smtpd_sender_restrictions =
-    reject_non_fqdn_sender
-    reject_unknown_sender_domain
-
-smtpd_relay_restrictions =
-    permit_mynetworks
-    reject
-
-smtpd_recipient_restrictions =
-    reject_non_fqdn_recipient
-    reject_unknown_recipient_domain
-    reject_unverified_recipient
-
-smtpd_data_restrictions =
-    reject_unauth_pipelining
-
-# vim: set filetype=pfmain :
diff --git a/roles/webmail/templates/etc/stunnel/postfix.conf.j2 b/roles/webmail/templates/etc/stunnel/postfix.conf.j2
new file mode 100644
index 0000000..78922c8
--- /dev/null
+++ b/roles/webmail/templates/etc/stunnel/postfix.conf.j2
@@ -0,0 +1,55 @@
+; **************************************************************************
+; * Global options                                                         *
+; **************************************************************************
+
+; setuid()/setgid() to the specified user/group in daemon mode
+setuid = stunnel4
+setgid = stunnel4
+
+; PID is created inside the chroot jail
+pid = /var/run/stunnel4/postfix.pid
+
+; Only log messages at severity warning (4) and higher
+debug = 4
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections  *
+; **************************************************************************
+
+; Certificate/key is needed in server mode and optional in client mode
+cert = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
+key  = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+client = yes
+socket = a:SO_BINDTODEVICE=lo
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+
+; Prevent MITM attacks
+verify = 4
+
+; Disable support for insecure protocols
+options = NO_SSLv2
+options = NO_SSLv3
+options = NO_TLSv1
+options = NO_TLSv1.1
+
+; These options provide additional security at some performance degradation
+options = SINGLE_ECDH_USE
+options = SINGLE_DH_USE
+
+; Select permitted SSL ciphers
+ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1
+
+; **************************************************************************
+; * Service definitions (remove all services for inetd mode)               *
+; **************************************************************************
+
+[smtp]
+accept   = localhost:2525
+connect  = outgoing.fripost.org:{{ postfix_instance.out.port }}
+CAfile   = /etc/stunnel/certs/postfix.pem
+protocol = smtp
+
+; vim:ft=dosini