diff options
Diffstat (limited to 'roles/webmail')
-rw-r--r-- | roles/webmail/files/etc/nginx/sites-available/roundcube | 69 | ||||
-rw-r--r-- | roles/webmail/files/var/lib/roundcube/skins/default/images/logo_webmail.png | bin | 0 -> 6567 bytes | |||
-rw-r--r-- | roles/webmail/handlers/main.yml | 9 | ||||
-rw-r--r-- | roles/webmail/tasks/mail.yml | 20 | ||||
-rw-r--r-- | roles/webmail/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/webmail/tasks/roundcube.yml | 85 | ||||
-rw-r--r-- | roles/webmail/templates/etc/postfix/main.cf.j2 | 99 | ||||
-rw-r--r-- | roles/webmail/templates/usr/share/roundcube/plugins/additional_message_headers/config.inc.php.j2 | 14 | ||||
-rw-r--r-- | roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 | 149 |
9 files changed, 447 insertions, 0 deletions
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube new file mode 100644 index 0000000..72f5a40 --- /dev/null +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -0,0 +1,69 @@ +server { + + listen 80; + listen [::]:80 ipv6only=on; + + server_name mail.fripost.org; + + access_log /var/log/nginx/roundcube.access.log; + error_log /var/log/nginx/roundcube.error.log info; + + return 301 https://$http_host$request_uri; +} + + +server { + listen 443; + listen [::]:443 ipv6only=on; + + server_name mail.fripost.org; + root /var/lib/roundcube; + + include ssl/config; + ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; + ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + + location = /favicon.ico { + root /usr/share/roundcube/skins/default/images; + log_not_found off; + access_log off; + expires max; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Deny all attempts to access hidden files, or files under hidden + # directories. + location ~ /\. { return 404; } + + access_log /var/log/nginx/roundcube.access.log; + error_log /var/log/nginx/roundcube.error.log info; + + index index.php; + location = /index.php { + include fastcgi/php; + include fastcgi/php-ssl; + + # From /var/lib/roundcube/.htaccess + fastcgi_param PHP_VALUE "upload_max_filesize=25M + post_max_size=30M + memory_limit=64M + session.gc_maxlifetime=21600 + session.gc_divisor=500 + session.gc_probability=1"; + fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/usr/share/roundcube:/etc/roundcube:/var/log/roundcube:/usr/share/php:/usr/share/misc/magic + upload_tmp_dir=$document_root/temp"; + } + + # Security rules + location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + return 404; + } + location ~ ^/(bin|SQL)/ { + return 404; + } +} diff --git a/roles/webmail/files/var/lib/roundcube/skins/default/images/logo_webmail.png b/roles/webmail/files/var/lib/roundcube/skins/default/images/logo_webmail.png Binary files differnew file mode 100644 index 0000000..7af586a --- /dev/null +++ b/roles/webmail/files/var/lib/roundcube/skins/default/images/logo_webmail.png diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml new file mode 100644 index 0000000..308f708 --- /dev/null +++ b/roles/webmail/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: Restart Postfix + service: name=postfix state=restarted + +- name: Reload Postfix + service: name=postfix state=reloaded + +- name: Restart Nginx + service: name=nginx state=restarted diff --git a/roles/webmail/tasks/mail.yml b/roles/webmail/tasks/mail.yml new file mode 100644 index 0000000..d3fb64e --- /dev/null +++ b/roles/webmail/tasks/mail.yml @@ -0,0 +1,20 @@ +- name: Install Postfix + apt: pkg={{ item }} + with_items: + - postfix + - postfix-pcre + +- name: Configure Postfix + template: src=etc/postfix/main.cf.j2 + dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf + owner=root group=root + mode=0644 + register: r + notify: + - Restart Postfix + +- name: Start Postfix + service: name=postfix state=started + when: not r.changed + +- meta: flush_handlers diff --git a/roles/webmail/tasks/main.yml b/roles/webmail/tasks/main.yml new file mode 100644 index 0000000..a6eeee2 --- /dev/null +++ b/roles/webmail/tasks/main.yml @@ -0,0 +1,2 @@ +- include: mail.yml tags=postfix,mail +- include: roundcube.yml tags=roundcube,webmail diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml new file mode 100644 index 0000000..e76b896 --- /dev/null +++ b/roles/webmail/tasks/roundcube.yml @@ -0,0 +1,85 @@ +- name: Install Roundcube + apt: pkg={{ item }} + with_items: + - roundcube-core + - roundcube-mysql + - roundcube-plugins + - php5-fpm + - php5-ldap + +- name: Copy fripost's logo + copy: src=var/lib/roundcube/skins/default/images/logo_webmail.png + dest=/var/lib/roundcube/skins/default/images/logo_webmail.png + owner=root group=root + mode=0644 + +- name: Configure Roundcube + lineinfile: dest=/etc/roundcube/main.inc.php + "regexp=^\s*\$rcmail_config\['{{ item.var }}']\s*=" + "line=$rcmail_config['{{ item.var }}'] = {{ item.value }};" + owner=root group=www-data + mode=0640 + with_items: + # Logging/Debugging + - { var: smtp_log, value: "FALSE" } + # IMAP + - { var: default_host, value: "'ssl://imap.fripost.org'" } + - { var: imap_auth_type, value: "'plain'" } + - { var: imap_cache, value: "'db'" } + - { var: message_cache, value: "'db'" } + # SMTP + - { var: smtp_server, value: "localhost" } + - { var: smtp_port, value: "2580" } + # System + - { var: force_https, value: "TRUE" } + - { var: login_autocomplete, value: "2" } + - { var: skin_logo, value: "'skins/default/images/logo_webmail.png'" } + - { var: username_domain, value: "'fripost.org'" } + - { var: product_name, value: "'Fripost'" } + # Plugins + - { var: plugins, value: "array('password','additional_message_headers')" } + # User Interface + - { var: language, value: "'sv_SE'" } + - { var: create_default_folders, value: "TRUE" } + # User Preferences + - { var: htmleditor, value: "TRUE" } + - { var: skip_deleted, value: "TRUE" } + - { var: check_all_folders, value: "FALSE" } + +- name: Make the logo a hyperlink to the website + lineinfile: dest=/usr/share/roundcube/skins/default/templates/login.html + regexp='^(<roundcube:object name="logo" src="/images/roundcube_logo.png" id="logo" border="0" style="margin:0 11px" />)$' + line='<a href="https://fripost.org">\1</a>' + backrefs=yes + owner=root group=root + mode=0644 + +- name: Configure Roundcube plugins + template: src=usr/share/roundcube/plugins/{{ item }}/config.inc.php.j2 + dest=/usr/share/roundcube/plugins/{{ item }}/config.inc.php + owner=root group=root + mode=0644 + with_items: + - password + - additional_message_headers + +- name: Start php5-fpm + service: name=php5-fpm state=started + +- name: Copy /etc/nginx/sites-available/roundcube + copy: src=etc/nginx/sites-available/roundcube + dest=/etc/nginx/sites-available/roundcube + owner=root group=root + mode=0644 + notify: + - Restart Nginx + +- name: Create /etc/nginx/sites-enabled/roundcube + file: src=../sites-available/roundcube + dest=/etc/nginx/sites-enabled/roundcube + owner=root group=root + state=link + notify: + - Restart Nginx + +- meta: flush_handlers diff --git a/roles/webmail/templates/etc/postfix/main.cf.j2 b/roles/webmail/templates/etc/postfix/main.cf.j2 new file mode 100644 index 0000000..fd4ea8e --- /dev/null +++ b/roles/webmail/templates/etc/postfix/main.cf.j2 @@ -0,0 +1,99 @@ +######################################################################## +# Webmail configuration +# +# {{ ansible_managed }} +# Do NOT edit this file directly! + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +mail_owner = postfix + +delay_warning_time = 4h +maximal_queue_lifetime = 5d + +myorigin = /etc/mailname +myhostname = webmail{{ webmailno | default('') }}.$mydomain +mydomain = {{ ansible_domain }} +append_dot_mydomain = no + +# Turn off all TCP/IP listener ports except that necessary for the webmail. +master_service_disable = !2580.inet inet + +queue_directory = /var/spool/postfix-{{ postfix_instance[inst].name }} +data_directory = /var/lib/postfix-{{ postfix_instance[inst].name }} +multi_instance_group = {{ postfix_instance[inst].group | default('') }} +multi_instance_name = postfix-{{ postfix_instance[inst].name }} +multi_instance_enable = yes + +# This server is a nullclient +mynetworks_style = host +inet_interfaces = loopback-only +inet_protocols = all + +# No local delivery +mydestination = +local_transport = error:5.1.1 Mailbox unavailable +alias_maps = +alias_database = +local_recipient_maps = + +message_size_limit = 67108864 +recipient_delimiter = + + +# Forward everything to our internal mailhub +{% if 'MTA-out' in group_names %} +relayhost = [127.0.0.1]:{{ MTA_out.port }} +{% else %} +relayhost = [{{ MTA_out.IPv4 }}]:{{ MTA_out.port }} +{% endif %} +relay_domains = + +# Don't rewrite remote headers +local_header_rewrite_clients = +# Pass the client information along to the content filter +smtp_send_xforward_command = yes +# Avoid splitting the envelope and scanning messages multiple times +smtp_destination_recipient_limit = 1000 +# Tolerate occasional high latency +smtp_data_done_timeout = 1200s + +# Pass the mail to the antivirus +#content_filter = amavisfeed:unix:public/amavisfeed-antivirus + +# Tunnel everything through IPSec +smtp_tls_security_level = none +smtp_bind_address = 172.16.0.1 +smtpd_tls_security_level = none + + +strict_rfc821_envelopes = yes +smtpd_delay_reject = yes +disable_vrfy_command = yes + +# UCE control +unknown_client_reject_code = 554 + +smtpd_client_restrictions = + permit_mynetworks + reject + +smtpd_helo_required = yes +smtpd_helo_restrictions = + permit_mynetworks + reject_non_fqdn_helo_hostname + reject_invalid_helo_hostname + +smtpd_sender_restrictions = + reject_non_fqdn_sender + reject_unknown_sender_domain + +smtpd_recipient_restrictions = + # RFC requirements + reject_non_fqdn_recipient + reject_unknown_recipient_domain + permit_mynetworks + reject + +smtpd_data_restrictions = + reject_unauth_pipelining diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/additional_message_headers/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/additional_message_headers/config.inc.php.j2 new file mode 100644 index 0000000..e9d0d3d --- /dev/null +++ b/roles/webmail/templates/usr/share/roundcube/plugins/additional_message_headers/config.inc.php.j2 @@ -0,0 +1,14 @@ +<?php + +// $rcmail_config['additional_message_headers']['X-Remote-Browser'] = $_SERVER['HTTP_USER_AGENT']; +$rcmail_config['additional_message_headers']['X-Originating-IP'] = null; +// $rcmail_config['additional_message_headers']['X-RoundCube-Server'] = $_SERVER['SERVER_ADDR']; + +// if( isset( $_SERVER['MACHINE_NAME'] )) { +// $rcmail_config['additional_message_headers']['X-RoundCube-Server'] .= ' (' . $_SERVER['MACHINE_NAME'] . ')'; +// } + +// To remove (e.g. X-Sender) message header use null value +$rcmail_config['additional_message_headers']['X-Sender'] = null; + +?> diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 new file mode 100644 index 0000000..35c73f9 --- /dev/null +++ b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 @@ -0,0 +1,149 @@ +<?php + +// Password Plugin options +// ----------------------- +// A driver to use for password change. Default: "sql". +// See README file for list of supported driver names. +$rcmail_config['password_driver'] = 'ldap_simple'; + +// Determine whether current password is required to change password. +// Default: false. +$rcmail_config['password_confirm_current'] = true; + +// Require the new password to be a certain length. +// set to blank to allow passwords of any length +$rcmail_config['password_minimum_length'] = 12; + +// Require the new password to contain a letter and punctuation character +// Change to false to remove this check. +$rcmail_config['password_require_nonalpha'] = false; + +// Enables logging of password changes into logs/password +$rcmail_config['password_log'] = false; + + +// LDAP and LDAP_SIMPLE Driver options +// ----------------------------------- +// LDAP server name to connect to. +// You can provide one or several hosts in an array in which case the hosts are tried from left to right. +// Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com'); +// Default: 'localhost' +$rcmail_config['password_ldap_host'] = '{{ LDAP_provider }}'; + +// LDAP server port to connect to +// Default: '389' +$rcmail_config['password_ldap_port'] = '389'; + +// TLS is started after connecting +// Using TLS for password modification is recommanded. +// Default: false +$rcmail_config['password_ldap_starttls'] = false; + +// LDAP version +// Default: '3' +$rcmail_config['password_ldap_version'] = '3'; + +// LDAP base name (root directory) +// Exemple: 'dc=exemple,dc=com' +$rcmail_config['password_ldap_basedn'] = 'ou=virtual,o=mailHosting,dc=fripost,dc=org'; + +// LDAP connection method +// There is two connection method for changing a user's LDAP password. +// 'user': use user credential (recommanded, require password_confirm_current=true) +// 'admin': use admin credential (this mode require password_ldap_adminDN and password_ldap_adminPW) +// Default: 'user' +$rcmail_config['password_ldap_method'] = 'user'; + +// LDAP Admin DN +// Used only in admin connection mode +// Default: null +$rcmail_config['password_ldap_adminDN'] = null; + +// LDAP Admin Password +// Used only in admin connection mode +// Default: null +$rcmail_config['password_ldap_adminPW'] = null; + +// LDAP user DN mask +// The user's DN is mandatory and as we only have his login, +// we need to re-create his DN using a mask +// '%login' will be replaced by the current roundcube user's login +// '%name' will be replaced by the current roundcube user's name part +// '%domain' will be replaced by the current roundcube user's domain part +// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com" +// Exemple: 'uid=%login,ou=people,dc=exemple,dc=com' +$rcmail_config['password_ldap_userDN_mask'] = 'fvl=%name,fvd=%domain,ou=virtual,o=mailHosting,dc=fripost,dc=org'; + +// LDAP search DN +// The DN roundcube should bind with to find out user's DN +// based on his login. Note that you should comment out the default +// password_ldap_userDN_mask setting for this to take effect. +// Use this if you cannot specify a general template for user DN with +// password_ldap_userDN_mask. You need to perform a search based on +// users login to find his DN instead. A common reason might be that +// your users are placed under different ou's like engineering or +// sales which cannot be derived from their login only. +$rcmail_config['password_ldap_searchDN'] = null; + +// LDAP search password +// If password_ldap_searchDN is set, the password to use for +// binding to search for user's DN. Note that you should comment out the default +// password_ldap_userDN_mask setting for this to take effect. +// Warning: Be sure to set approperiate permissions on this file so this password +// is only accesible to roundcube and don't forget to restrict roundcube's access to +// your directory as much as possible using ACLs. Should this password be compromised +// you want to minimize the damage. +$rcmail_config['password_ldap_searchPW'] = null; + +// LDAP search base +// If password_ldap_searchDN is set, the base to search in using the filter below. +// Note that you should comment out the default password_ldap_userDN_mask setting +// for this to take effect. +$rcmail_config['password_ldap_search_base'] = null; + +// LDAP search filter +// If password_ldap_searchDN is set, the filter to use when +// searching for user's DN. Note that you should comment out the default +// password_ldap_userDN_mask setting for this to take effect. +// '%login' will be replaced by the current roundcube user's login +// '%name' will be replaced by the current roundcube user's name part +// '%domain' will be replaced by the current roundcube user's domain part +// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com" +// Example: '(uid=%login)' +// Example: '(&(objectClass=posixAccount)(uid=%login))' +$rcmail_config['password_ldap_search_filter'] = null; + +// LDAP password hash type +// Standard LDAP encryption type which must be one of: crypt, +// ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, or clear. +// Please note that most encodage types require external libraries +// to be included in your PHP installation, see function hashPassword in drivers/ldap.php for more info. +// Default: 'crypt' +$rcmail_config['password_ldap_encodage'] = 'ssha'; + +// LDAP password attribute +// Name of the ldap's attribute used for storing user password +// Default: 'userPassword' +$rcmail_config['password_ldap_pwattr'] = 'userPassword'; + +// LDAP password force replace +// Force LDAP replace in cases where ACL allows only replace not read +// See http://pear.php.net/package/Net_LDAP2/docs/latest/Net_LDAP2/Net_LDAP2_Entry.html#methodreplace +// Default: true +$rcmail_config['password_ldap_force_replace'] = true; + +// LDAP Password Last Change Date +// Some places use an attribute to store the date of the last password change +// The date is meassured in "days since epoch" (an integer value) +// Whenever the password is changed, the attribute will be updated if set (e.g. shadowLastChange) +$rcmail_config['password_ldap_lchattr'] = ''; + +// LDAP Samba password attribute, e.g. sambaNTPassword +// Name of the LDAP's Samba attribute used for storing user password +$rcmail_config['password_ldap_samba_pwattr'] = ''; + +// LDAP Samba Password Last Change Date attribute, e.g. sambaPwdLastSet +// Some places use an attribute to store the date of the last password change +// The date is meassured in "seconds since epoch" (an integer value) +// Whenever the password is changed, the attribute will be updated if set +$rcmail_config['password_ldap_samba_lchattr'] = ''; |