From 42df93debccbcb1a18cd377b6de0b5b20527312f Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 18 May 2020 15:51:54 +0200
Subject: stunnel4: Harden and socket-activate.

---
 .../files/etc/systemd/system/stunnel4@.service     |  5 ++
 roles/common/tasks/stunnel.yml                     | 12 ++---
 .../etc/roundcube/plugins/password/config.inc.php  |  2 +-
 roles/webmail/files/etc/stunnel/ldap.conf          | 57 ----------------------
 .../files/etc/systemd/system/stunnel4@ldap.socket  | 11 +++++
 roles/webmail/handlers/main.yml                    |  6 +++
 roles/webmail/tasks/ldap.yml                       | 32 +++++++-----
 roles/webmail/templates/etc/stunnel/ldap.conf.j2   | 41 ++++++++++++++++
 8 files changed, 87 insertions(+), 79 deletions(-)
 delete mode 100644 roles/webmail/files/etc/stunnel/ldap.conf
 create mode 100644 roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket
 create mode 100644 roles/webmail/templates/etc/stunnel/ldap.conf.j2

diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service
index 1a30599..4d69702 100644
--- a/roles/common/files/etc/systemd/system/stunnel4@.service
+++ b/roles/common/files/etc/systemd/system/stunnel4@.service
@@ -1,10 +1,15 @@
 [Unit]
 Description=SSL tunnel for network daemons (instance %i)
+Documentation=man:stunnel4(8)
 After=network.target nss-lookup.target
 PartOf=stunnel4.service
 ReloadPropagatedFrom=stunnel4.service
 
 [Service]
+DynamicUser=yes
+; force dynamic user/group allocation (stunnel4 user exists already)
+User=_stunnel4-%i
+Group=_stunnel4-%i
 ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf
 ExecReload=/bin/kill -HUP ${MAINPID}
 KillSignal=SIGINT
diff --git a/roles/common/tasks/stunnel.yml b/roles/common/tasks/stunnel.yml
index 7cb8823..1522f1f 100644
--- a/roles/common/tasks/stunnel.yml
+++ b/roles/common/tasks/stunnel.yml
@@ -1,14 +1,7 @@
 - name: Install stunnel4
   apt: pkg=stunnel4
 
-- name: Set 'ENABLED=0' in /etc/default/stunnel4
-  lineinfile: dest=/etc/default/stunnel4
-              regexp='^(\s*#)?\s*ENABLED='
-              line='ENABLED=0'
-              owner=root group=root
-              mode=0644
-
-- name: Copy stunnel4 service file
+- name: Copy stunnel4 service files
   copy: src=etc/systemd/system/{{ item }}
         dest=/etc/systemd/system/{{ item }}
         owner=root group=root
@@ -18,3 +11,6 @@
   with_items:
     - stunnel4.service
     - stunnel4@.service
+
+- name: Disable stunnel4 service
+  service: name=stunnel4.service enabled=false
diff --git a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
index c32f58e..e53b753 100644
--- a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
+++ b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php
@@ -122,7 +122,7 @@ $config['password_saslpasswd_args'] = '';
 // You can provide one or several hosts in an array in which case the hosts are tried from left to right.
 // Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com');
 // Default: 'localhost'
-$config['password_ldap_host'] = 'localhost';
+$config['password_ldap_host'] = '127.0.0.1';
 
 // LDAP server port to connect to
 // Default: '389'
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf
deleted file mode 100644
index 1a60a4f..0000000
--- a/roles/webmail/files/etc/stunnel/ldap.conf
+++ /dev/null
@@ -1,57 +0,0 @@
-; **************************************************************************
-; * Global options                                                         *
-; **************************************************************************
-
-; setuid()/setgid() to the specified user/group in daemon mode
-setuid = stunnel4
-setgid = stunnel4
-
-; PID is created inside the chroot jail
-pid =
-foreground = yes
-
-; Only log messages at severity warning (4) and higher
-debug = 4
-
-; **************************************************************************
-; * Service defaults may also be specified in individual service sections  *
-; **************************************************************************
-
-; Certificate/key is needed in server mode and optional in client mode
-;cert = /etc/stunnel/mail.pem
-;key = /etc/stunnel/mail.pem
-client = yes
-socket = a:SO_BINDTODEVICE=lo
-
-; Some performance tunings
-socket = l:TCP_NODELAY=1
-socket = r:TCP_NODELAY=1
-
-; Prevent MITM attacks
-verify = 4
-
-; Disable support for insecure protocols
-;options = NO_SSLv2
-options = NO_SSLv3
-options = NO_TLSv1
-options = NO_TLSv1.1
-
-options = NO_COMPRESSION
-
-; These options provide additional security at some performance degradation
-;options = SINGLE_ECDH_USE
-;options = SINGLE_DH_USE
-
-; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
-
-; **************************************************************************
-; * Service definitions (remove all services for inetd mode)               *
-; **************************************************************************
-
-[ldaps]
-accept  = localhost:389
-connect = ldap.fripost.org:636
-CAfile  = /etc/stunnel/certs/ldap.pem
-
-; vim:ft=dosini
diff --git a/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket
new file mode 100644
index 0000000..72aa82c
--- /dev/null
+++ b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=SSL tunnel for network daemons (instance %i)
+Documentation=man:stunnel4(8)
+
+[Socket]
+BindToDevice=lo
+ListenStream=127.0.0.1:389
+NoDelay=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml
index 0515c8b..5b730d7 100644
--- a/roles/webmail/handlers/main.yml
+++ b/roles/webmail/handlers/main.yml
@@ -7,3 +7,9 @@
 
 - name: Restart Nginx
   service: name=nginx state=restarted
+
+- name: Stop stunnel4@ldap.service
+  service: name=stunnel4@ldap.service state=stopped
+
+- name: Restart stunnel4@ldap.socket
+  service: name=stunnel4@ldap.socket state=restarted
diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml
index 4abbd3a..f0b461c 100644
--- a/roles/webmail/tasks/ldap.yml
+++ b/roles/webmail/tasks/ldap.yml
@@ -1,3 +1,12 @@
+- name: Copy stunnel4@ldap.socket
+  copy: src=etc/systemd/system/stunnel4@ldap.socket
+        dest=/etc/systemd/system/stunnel4@ldap.socket
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Restart stunnel4@ldap.socket
+
 - name: Create /etc/stunnel/certs
   file: path=/etc/stunnel/certs
         state=directory
@@ -9,22 +18,19 @@
         dest=/etc/stunnel/certs/ldap.pem
         owner=root group=root
         mode=0644
-  register: r1
   notify:
-    - Restart stunnel@ldap
+    - Stop stunnel4@ldap.service
 
 - name: Configure stunnel
-  copy: src=etc/stunnel/ldap.conf
-        dest=/etc/stunnel/ldap.conf
-        owner=root group=root
-        mode=0644
-  register: r2
+  template: src=etc/stunnel/ldap.conf.j2
+            dest=/etc/stunnel/ldap.conf
+            owner=root group=root
+            mode=0644
   notify:
-    - Restart stunnel@ldap
+    - Stop stunnel4@ldap.service
 
-- name: Enable stunnel@ldap
-  service: name=stunnel4@ldap enabled=yes
+- name: Disable stunnel4@ldap.service
+  service: name=stunnel4@ldap.service enabled=false
 
-- name: Start stunnel@ldap
-  service: name=stunnel4@ldap state=started
-  when: not (r1.changed or r2.changed)
+- name: Start stunnel4@ldap.socket socket
+  service: name=stunnel4@ldap.socket state=started enabled=true
diff --git a/roles/webmail/templates/etc/stunnel/ldap.conf.j2 b/roles/webmail/templates/etc/stunnel/ldap.conf.j2
new file mode 100644
index 0000000..6fce2bc
--- /dev/null
+++ b/roles/webmail/templates/etc/stunnel/ldap.conf.j2
@@ -0,0 +1,41 @@
+; **************************************************************************
+; * Global options                                                         *
+; **************************************************************************
+
+pid =
+foreground = yes
+
+; Only log messages at severity warning (4) and higher
+debug = 4
+
+; **************************************************************************
+; * Service defaults may also be specified in individual service sections  *
+; **************************************************************************
+
+client = yes
+
+; Some performance tunings
+socket = r:TCP_NODELAY=1
+
+; Prevent MITM attacks
+verifyPeer = yes
+
+; Disable support for insecure protocols
+sslVersionMin = TLSv1.2
+options = NO_COMPRESSION
+
+; Select permitted SSL ciphers
+ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
+
+; **************************************************************************
+; * Service definitions (remove all services for inetd mode)               *
+; **************************************************************************
+
+[ldaps]
+; dummy address (socket-activated)
+accept  = 127.0.0.1:0
+connect = {{ ipsec[ hostvars[groups.LDAP_provider[0]].inventory_hostname_short ] }}:636
+checkHost = ldap.fripost.org
+CAfile = /etc/stunnel/certs/ldap.pem
+
+; vim:ft=dosini
-- 
cgit v1.2.3