diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 1 | ||||
| -rw-r--r-- | roles/common-web/files/etc/nginx/ssl/config | 12 | ||||
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/samhain.yml | 7 | ||||
| -rw-r--r-- | roles/lists/handlers/main.yml | 3 | ||||
| -rw-r--r-- | roles/webmail/tasks/roundcube.yml | 2 |
6 files changed, 16 insertions, 11 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index b15b907..e234d73 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -55,41 +55,40 @@ local_header_rewrite_clients = smtp_destination_recipient_limit = 1000 # Tolerate occasional high latency smtp_data_done_timeout = 1200s # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre #content_filter = amavisfeed:unix:public/amavisfeed-antivirus # Tunnel everything through IPSec smtp_tls_security_level = none {% if 'MTA-out' in group_names %} smtp_bind_address = 127.0.0.1 {% else %} smtp_bind_address = 172.16.0.1 {% endif %} # TLS smtpd_tls_security_level = encrypt smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key -smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_fingerprint_digest = sha1 smtpd_tls_eecdh_grade = strong tls_random_source = dev:/dev/urandom # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = no smtpd_sasl_type = dovecot smtpd_sasl_path = unix:private/dovecot-auth strict_rfc821_envelopes = yes diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config index 6f0546b..7deef29 100644 --- a/roles/common-web/files/etc/nginx/ssl/config +++ b/roles/common-web/files/etc/nginx/ssl/config @@ -1,19 +1,19 @@ ssl on; # See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization -keepalive_timeout 75 75; -ssl_session_timeout 5m; -ssl_session_cache shared:SSL:5m; +keepalive_timeout 75 75; +ssl_session_timeout 5m; +ssl_session_cache shared:SSL:5m; # XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST # attack. Sadly as of 2013 many clients don't support TLSv1.2, though. # The alternative would be to reject BEAST-vulnerable ciphers from TLSv1 # in favor of RC4, but that's not satisfactory either since RC4 has # other weaknesses. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; -ssl_prefer_server_ciphers on; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; +ssl_prefer_server_ciphers on; # Strict Transport Security header for enhanced security. See # http://www.chromium.org/sts. add_header Strict-Transport-Security "max-age=15552000"; diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index 56c8300..7870626 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -38,23 +38,23 @@ mode=0644 register: r2 notify: - Restart IPSec - name: Start IPSec service: name=ipsec state=started when: not (r1.changed or r2.changed) - name: Auto-create a dedicated interface for IPSec copy: src=etc/network/if-up.d/ipsec dest=/etc/network/if-up.d/ipsec owner=root group=root mode=0755 notify: - Reload networking - name: Auto-deactivate the dedicated interface for IPSec file: src=../if-up.d/ipsec dest=/etc/network/if-down.d/ipsec - owner=root group=root state=link + owner=root group=root state=link force=yes - meta: flush_handlers diff --git a/roles/common/tasks/samhain.yml b/roles/common/tasks/samhain.yml index 0d911a5..10b1f46 100644 --- a/roles/common/tasks/samhain.yml +++ b/roles/common/tasks/samhain.yml @@ -1,26 +1,29 @@ - name: Install samhain apt: pkg={{ item }} with_items: - samhain - auditd # XXX: Doesn't work out of the box, see #660197. # Every once in a while, or after a major upgrade, you may want to - # update Samhain's database (to avoid being flooded at the next - # reboot): + # update Samhain's database: + # + # sudo samhain -t update --foreground + # + # To update the database without sending mails: # # sudo samhain -t update --foreground -m none - name: Configure samhain copy: src=etc/samhain/samhainrc dest=/etc/samhain/samhainrc owner=root group=root mode=0644 notify: - Reload samhain - name: Start samhain # This task is inconditional because samhain is reloaded not # restarted. service: name=samhain state=started - meta: flush_handlers diff --git a/roles/lists/handlers/main.yml b/roles/lists/handlers/main.yml index c27834e..308f708 100644 --- a/roles/lists/handlers/main.yml +++ b/roles/lists/handlers/main.yml @@ -1,6 +1,9 @@ --- - name: Restart Postfix service: name=postfix state=restarted - name: Reload Postfix service: name=postfix state=reloaded + +- name: Restart Nginx + service: name=nginx state=restarted diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 8e48208..477943f 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -62,25 +62,25 @@ with_items: - additional_message_headers - managesieve - password - name: Start php5-fpm service: name=php5-fpm state=started - name: Copy /etc/nginx/sites-available/roundcube copy: src=etc/nginx/sites-available/roundcube dest=/etc/nginx/sites-available/roundcube owner=root group=root mode=0644 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/roundcube file: src=../sites-available/roundcube dest=/etc/nginx/sites-enabled/roundcube owner=root group=root - state=link + state=link force=yes notify: - Restart Nginx - meta: flush_handlers |