From 05d59141d1115cafb663305d680a930f089b4851 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 28 May 2016 13:49:48 +0200 Subject: Roundcube: route IMAP and managesieve traffic through IPSec. --- roles/webmail/tasks/roundcube.yml | 12 ++++++------ .../roundcube/plugins/managesieve/config.inc.php.j2 | 20 ++++++++++---------- webmail.yml | 2 +- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 3d56af7..998026c 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -49,12 +49,12 @@ # IMAP # WARNING: After hostname change update of mail_host column in users # table is required to match old user data records with the new host. - - { var: default_host, value: "'localhost'" } - - { var: default_port, value: "143" } - - { var: imap_auth_type, value: "'PLAIN'" } - - { var: imap_cache, value: "null" } - - { var: imap_timeout, value: "180" } - - { var: messages_cache, value: "false" } + - { var: default_host, value: "'{{ ipsec[imapsvr.inventory_hostname_short] }}'" } + - { var: default_port, value: "143" } + - { var: imap_auth_type, value: "'PLAIN'" } + - { var: imap_cache, value: "null" } + - { var: imap_timeout, value: "180" } + - { var: messages_cache, value: "false" } # SMTP - { var: smtp_server, value: "'localhost'" } - { var: smtp_port, value: "2525" } diff --git a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 index 6ad7343..dcaca06 100644 --- a/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 +++ b/roles/webmail/templates/etc/roundcube/plugins/managesieve/config.inc.php.j2 @@ -10,7 +10,7 @@ $config['managesieve_port'] = 4190; // %n - http hostname ($_SERVER['SERVER_NAME']) // %d - domain (http hostname without the first part) // For example %n = mail.domain.tld, %d = domain.tld -$config['managesieve_host'] = 'sieve.fripost.org'; +$config['managesieve_host'] = '{{ ipsec[imapsvr.inventory_hostname_short] }}'; // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL // or none. Optional, defaults to best method supported by server. @@ -26,19 +26,19 @@ $config['managesieve_auth_pw'] = null; // use or not TLS for managesieve server connection // Note: tls:// prefix in managesieve_host is also supported -$config['managesieve_usetls'] = true; +$config['managesieve_usetls'] = false; // Connection scket context options // See http://php.net/manual/en/context.ssl.php // The example below enables server certificate validation -$config['managesieve_conn_options'] = array( - 'ssl' => array( - 'verify_peer' => true, - 'disable_compression' => true, - 'ciphers' => 'EECDH+AES!MEDIUM!LOW!EXP!aNULL!eNULL', - 'peer_fingerprint' => array('sha1' => '{{ lookup('pipe', 'openssl x509 -in certs/public/imap.fripost.org.pem -noout -fingerprint -sha1 | sed "s/[^=]*=\s*//" | tr -d :') }}'), - ), - ); +//$config['managesieve_conn_options'] = array( +// 'ssl' => array( +// 'verify_peer' => true, +// 'verify_depth' => 3, +// 'cafile' => '/etc/openssl/certs/ca.crt', +// ), +// ); +$config['managesieve_conn_options'] = null; // default contents of filters script (eg. default spam filter) $config['managesieve_default'] = '/etc/dovecot/sieve/global'; diff --git a/webmail.yml b/webmail.yml index 0ef0487..cd5100f 100644 --- a/webmail.yml +++ b/webmail.yml @@ -2,4 +2,4 @@ - name: Configure the webmail hosts: webmail roles: - - webmail + - { role: webmail, imapsvr: "{{ hostvars[groups.IMAP[0]] }}" } -- cgit v1.2.3