From 7a5cc5032b036f110a19b899cfc264065b473ed1 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 2 Jul 2014 17:54:24 +0200 Subject: Use stunnel to secure the connection from the IMAP proxy to the IMAP server. The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does. --- roles/IMAP-proxy/files/etc/stunnel/stunnel.conf | 57 +++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 roles/IMAP-proxy/files/etc/stunnel/stunnel.conf (limited to 'roles/IMAP-proxy/files/etc/stunnel') diff --git a/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf new file mode 100644 index 0000000..026bc30 --- /dev/null +++ b/roles/IMAP-proxy/files/etc/stunnel/stunnel.conf @@ -0,0 +1,57 @@ +; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012 +; Some options used here may be inadequate for your particular configuration +; This sample file does *not* represent stunnel.conf defaults +; Please consult the manual for detailed description of available options + +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; A copy of some devices and system files is needed within the chroot jail +; Chroot conflicts with configuration file reload and many other features +; Remember also to update the logrotate configuration. +;chroot = /var/lib/stunnel4/ +; Chroot jail can be escaped if setuid option is not used +setuid = stunnel4 +setgid = stunnel4 + +; PID is created inside the chroot jail +pid = /var/run/stunnel4/stunnel4.pid + +; Debugging stuff (may useful for troubleshooting) +debug = 4 +;output = /var/log/stunnel4/stunnel.log + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Certificate/key is needed in server mode and optional in client mode +;cert = /etc/stunnel/mail.pem +;key = /etc/stunnel/mail.pem +client = yes +socket = a:SO_BINDTODEVICE=lo + +; Authentication stuff needs to be configured to prevent MITM attacks +verify = 4 + +; Disable support for insecure SSLv2 protocol +options = NO_SSLv2 +; Workaround for Eudora bug +;options = DONT_INSERT_EMPTY_FRAGMENTS + +; These options provide additional security at some performance degradation +;options = SINGLE_ECDH_USE +;options = SINGLE_DH_USE + +; ************************************************************************** +; * Service definitions (remove all services for inetd mode) * +; ************************************************************************** + +[imaps] +accept = localhost:993 +connect = imap.fripost.org:993 +CAfile = /etc/stunnel/certs/imap.fripost.org.pem +ciphers = ECDH+AES:DH+AES + +; vim:ft=dosini -- cgit v1.2.3