From 42df93debccbcb1a18cd377b6de0b5b20527312f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 18 May 2020 15:51:54 +0200 Subject: stunnel4: Harden and socket-activate. --- .../files/etc/systemd/system/stunnel4@.service | 5 ++ roles/common/tasks/stunnel.yml | 12 ++--- .../etc/roundcube/plugins/password/config.inc.php | 2 +- roles/webmail/files/etc/stunnel/ldap.conf | 57 ---------------------- .../files/etc/systemd/system/stunnel4@ldap.socket | 11 +++++ roles/webmail/handlers/main.yml | 6 +++ roles/webmail/tasks/ldap.yml | 32 +++++++----- roles/webmail/templates/etc/stunnel/ldap.conf.j2 | 41 ++++++++++++++++ 8 files changed, 87 insertions(+), 79 deletions(-) delete mode 100644 roles/webmail/files/etc/stunnel/ldap.conf create mode 100644 roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket create mode 100644 roles/webmail/templates/etc/stunnel/ldap.conf.j2 diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service index 1a30599..4d69702 100644 --- a/roles/common/files/etc/systemd/system/stunnel4@.service +++ b/roles/common/files/etc/systemd/system/stunnel4@.service @@ -1,10 +1,15 @@ [Unit] Description=SSL tunnel for network daemons (instance %i) +Documentation=man:stunnel4(8) After=network.target nss-lookup.target PartOf=stunnel4.service ReloadPropagatedFrom=stunnel4.service [Service] +DynamicUser=yes +; force dynamic user/group allocation (stunnel4 user exists already) +User=_stunnel4-%i +Group=_stunnel4-%i ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf ExecReload=/bin/kill -HUP ${MAINPID} KillSignal=SIGINT diff --git a/roles/common/tasks/stunnel.yml b/roles/common/tasks/stunnel.yml index 7cb8823..1522f1f 100644 --- a/roles/common/tasks/stunnel.yml +++ b/roles/common/tasks/stunnel.yml @@ -1,14 +1,7 @@ - name: Install stunnel4 apt: pkg=stunnel4 -- name: Set 'ENABLED=0' in /etc/default/stunnel4 - lineinfile: dest=/etc/default/stunnel4 - regexp='^(\s*#)?\s*ENABLED=' - line='ENABLED=0' - owner=root group=root - mode=0644 - -- name: Copy stunnel4 service file +- name: Copy stunnel4 service files copy: src=etc/systemd/system/{{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root @@ -18,3 +11,6 @@ with_items: - stunnel4.service - stunnel4@.service + +- name: Disable stunnel4 service + service: name=stunnel4.service enabled=false diff --git a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php index c32f58e..e53b753 100644 --- a/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php +++ b/roles/webmail/files/etc/roundcube/plugins/password/config.inc.php @@ -122,7 +122,7 @@ $config['password_saslpasswd_args'] = ''; // You can provide one or several hosts in an array in which case the hosts are tried from left to right. // Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com'); // Default: 'localhost' -$config['password_ldap_host'] = 'localhost'; +$config['password_ldap_host'] = '127.0.0.1'; // LDAP server port to connect to // Default: '389' diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf deleted file mode 100644 index 1a60a4f..0000000 --- a/roles/webmail/files/etc/stunnel/ldap.conf +++ /dev/null @@ -1,57 +0,0 @@ -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; setuid()/setgid() to the specified user/group in daemon mode -setuid = stunnel4 -setgid = stunnel4 - -; PID is created inside the chroot jail -pid = -foreground = yes - -; Only log messages at severity warning (4) and higher -debug = 4 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Certificate/key is needed in server mode and optional in client mode -;cert = /etc/stunnel/mail.pem -;key = /etc/stunnel/mail.pem -client = yes -socket = a:SO_BINDTODEVICE=lo - -; Some performance tunings -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 - -; Prevent MITM attacks -verify = 4 - -; Disable support for insecure protocols -;options = NO_SSLv2 -options = NO_SSLv3 -options = NO_TLSv1 -options = NO_TLSv1.1 - -options = NO_COMPRESSION - -; These options provide additional security at some performance degradation -;options = SINGLE_ECDH_USE -;options = SINGLE_DH_USE - -; Select permitted SSL ciphers -ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL - -; ************************************************************************** -; * Service definitions (remove all services for inetd mode) * -; ************************************************************************** - -[ldaps] -accept = localhost:389 -connect = ldap.fripost.org:636 -CAfile = /etc/stunnel/certs/ldap.pem - -; vim:ft=dosini diff --git a/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket new file mode 100644 index 0000000..72aa82c --- /dev/null +++ b/roles/webmail/files/etc/systemd/system/stunnel4@ldap.socket @@ -0,0 +1,11 @@ +[Unit] +Description=SSL tunnel for network daemons (instance %i) +Documentation=man:stunnel4(8) + +[Socket] +BindToDevice=lo +ListenStream=127.0.0.1:389 +NoDelay=yes + +[Install] +WantedBy=sockets.target diff --git a/roles/webmail/handlers/main.yml b/roles/webmail/handlers/main.yml index 0515c8b..5b730d7 100644 --- a/roles/webmail/handlers/main.yml +++ b/roles/webmail/handlers/main.yml @@ -7,3 +7,9 @@ - name: Restart Nginx service: name=nginx state=restarted + +- name: Stop stunnel4@ldap.service + service: name=stunnel4@ldap.service state=stopped + +- name: Restart stunnel4@ldap.socket + service: name=stunnel4@ldap.socket state=restarted diff --git a/roles/webmail/tasks/ldap.yml b/roles/webmail/tasks/ldap.yml index 4abbd3a..f0b461c 100644 --- a/roles/webmail/tasks/ldap.yml +++ b/roles/webmail/tasks/ldap.yml @@ -1,3 +1,12 @@ +- name: Copy stunnel4@ldap.socket + copy: src=etc/systemd/system/stunnel4@ldap.socket + dest=/etc/systemd/system/stunnel4@ldap.socket + owner=root group=root + mode=0644 + notify: + - systemctl daemon-reload + - Restart stunnel4@ldap.socket + - name: Create /etc/stunnel/certs file: path=/etc/stunnel/certs state=directory @@ -9,22 +18,19 @@ dest=/etc/stunnel/certs/ldap.pem owner=root group=root mode=0644 - register: r1 notify: - - Restart stunnel@ldap + - Stop stunnel4@ldap.service - name: Configure stunnel - copy: src=etc/stunnel/ldap.conf - dest=/etc/stunnel/ldap.conf - owner=root group=root - mode=0644 - register: r2 + template: src=etc/stunnel/ldap.conf.j2 + dest=/etc/stunnel/ldap.conf + owner=root group=root + mode=0644 notify: - - Restart stunnel@ldap + - Stop stunnel4@ldap.service -- name: Enable stunnel@ldap - service: name=stunnel4@ldap enabled=yes +- name: Disable stunnel4@ldap.service + service: name=stunnel4@ldap.service enabled=false -- name: Start stunnel@ldap - service: name=stunnel4@ldap state=started - when: not (r1.changed or r2.changed) +- name: Start stunnel4@ldap.socket socket + service: name=stunnel4@ldap.socket state=started enabled=true diff --git a/roles/webmail/templates/etc/stunnel/ldap.conf.j2 b/roles/webmail/templates/etc/stunnel/ldap.conf.j2 new file mode 100644 index 0000000..6fce2bc --- /dev/null +++ b/roles/webmail/templates/etc/stunnel/ldap.conf.j2 @@ -0,0 +1,41 @@ +; ************************************************************************** +; * Global options * +; ************************************************************************** + +pid = +foreground = yes + +; Only log messages at severity warning (4) and higher +debug = 4 + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +client = yes + +; Some performance tunings +socket = r:TCP_NODELAY=1 + +; Prevent MITM attacks +verifyPeer = yes + +; Disable support for insecure protocols +sslVersionMin = TLSv1.2 +options = NO_COMPRESSION + +; Select permitted SSL ciphers +ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[ldaps] +; dummy address (socket-activated) +accept = 127.0.0.1:0 +connect = {{ ipsec[ hostvars[groups.LDAP_provider[0]].inventory_hostname_short ] }}:636 +checkHost = ldap.fripost.org +CAfile = /etc/stunnel/certs/ldap.pem + +; vim:ft=dosini -- cgit v1.2.3